1

I am setting up a DMZ disconnected from our corporate LAN. I've moved DNS services for the DMZ hosts into the DMZ with a stripped down set of zone info containing only what the DMZ hosts need to know. Some connections need to come back into the LAN from the DMZ. I know it's not ideal but it's still an improvement over how the infrastructure is now (basically, people are running services off their desktops).

Anyways, I need to connect to an LDAP server on the LAN, from the DMZ, over port 636. I have the connections working with the IP address, however the LDAP server is at another branch office, over a VPN, and the admin uses round-robin DNS so the IP isn't consistent everytime.

Currently, there are 6 IP addresses associated with the LDAP service (ldap.office.org). I could just add those 6 IP addresses to the /etc/hosts file in each DMZ host, but I would rather have them in DNS but they are not under the same domain for which my DNS is authoritative (hosts in DMZ are in "foo.dmz" domain where LDAP is "ldap.office.org")

How can I get my BIND server to serve the 6 IPs for ldap.office.org instead of forwarding the DNS request off to the internet root servers?

Server Fault
  • 3,714
  • 12
  • 54
  • 89
  • 1
    This is one server with 6 ip addresses? If so, why does it matter which ip address you connect to? – joeqwerty Oct 29 '14 at 15:05
  • The LDAP service is set of VMs on a hypervisor behind two load balancers (from what I understand). DNS rotates the IP addresses between two (maybe more) hypervisors every other day to ensure failover is working. What I guess is going on is they replicate the VM cloud every day to the "offline" hypervisor (also on a separate SAN) and then bring it online the next morning. The DNS entries change to reflect the new set of LDAP hosts so DNS is needed to determine which set of balancers to use. I'll have to swap out zone files every day on the DNS server but shouldn't be too bad. – Server Fault Oct 29 '14 at 15:15

1 Answers1

2

That sounds fairly straightforward. Create a zone on your bind server for ldap.office.org and add the 6 IPs as @ records.

If you can get the cooperation of the other admin, they could create an ldap.office.org zone and allow you to zone-transfer from their authoritative server (so that you don't have to keep your copy of the zone manually synchronized).

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • Thanks, that's what I needed. For anyone wondering, I put the 6 hosts/ips in a zone file named /var/cache/bind/internal.office.org and added config lines in /etc/bind/named.conf.local to tell bind where to find the zone file. – Server Fault Oct 29 '14 at 15:16