Use an external subdomain as a zone in my local DNS server

Question

This is my situation:

I have a .net, (example.net) domain.

the domain is setup (on my registrars's platform) to point to my hosting provider's DNS (via CUSTOM DNS setup).

The hosting provider offers a DNS Zone editor.

What I need to do is to point a subdomain: (lan.example.net) to my local server, which is currently running bind9.

How exactly should I delegate only that subdomain to my local server and setup bind9 so the subdomain can be used by the intranet where the bind9 is located (so lan.example.net can be accessible by intranet's PC's without connection to internet. Those PC's will be resolving to the local bind9 server).

Do I need to setup an A record on hosting provider DNS zone editor pointing to my WAN IP?
Do I need to open port (53) on my local server bind9 so the hosting provider can communicate to my local DNS?

I'd also need to create more subdomains (managed by my local bind9), like this:

site1.lan.example.net
site2.lan.example.net

Since lan.example.net is already delagated to local DNS, I should be able to add more subdomains, for internal use.

Any help would be appreciated. Thanks.

A dot in a DNS name does not necessarily imply delegation. Delegation is useful to well... delegate control of part of the tree to another entity for administrative or technical reasons. But otherwise, even in the zonefile of `example.com` zone, you can totally have the name, for any record, of `foo.bar.whatever.example.com` without any delegation needed (`NS` records). — Patrick Mevzek, Jun 09 '22 at 03:12

Vinícius Ferrão · Accepted Answer · 2022-06-09T00:45:29.677

You don't need to delegate from the public facing DNS to the internal one. You may only delegate if you want to use DNSSEC in the internal zones. Which may not be the case.

Also delegating from the external DNS, with the NS and A (glue) records will expose that you have an internal DNS running at a given IP address, and again, this may not be what you want. If this is what you want you'll also need to open ports 53/tcp and 53/udp on your local firewall to allow zone transfers: AXFR and IXFR.

For BIND9 you can do something like this, to create additional internal subzones:

; Nameservers records
ns.example.net.         IN      A       192.168.0.10
ns1.example.net.        IN      A       192.168.0.3
ns2.example.net.        IN      A       192.168.0.4

; Delegated internal zones
local.example.net.      IN      NS      ns.example.net.
mgmt.example.net.       IN      NS      ns.example.net.

; Delegated external zones
subzone.example.net.    IN      NS      ns.example.net.
whatever.example.net.   IN      NS      ns.example.net.

; Delegated external zone with its own nameservers (and glue records)
fnord.example.net.      IN      NS      ns1.fnord.example.net.
fnord.example.net.      IN      NS      ns2.fnord.example.net.
ns1.fnord.example.net.  IN      A       198.51.100.1
ns2.fnord.example.net.  IN      A       198.51.100.2

The original configuration was in another question similar to this one, which can be found here: Can one server do DNS for a domain and a subdomain?

Finally you may also take a look at BIND9 views. To avoid exposing your internal network to public facing DNS servers. Without this you'll leak your internal IPs and networks. You basically need to create an ACL on BIND9 with your internal clients:

acl internal {
   192.168.0.0/24;
   localhost;
};

view "internalview" {
  zone "lan.example.net " IN {
    type master;
    file "zones/lan.example.net";
    allow-transfer { nameservers; };
  };
};

Great. Thanks! You're right. Delegation was actually not necessary. — John Smith, Jun 09 '22 at 04:30

Use an external subdomain as a zone in my local DNS server

1 Answers1