Internal DNS infrastructure with BIND9¶

Internal DNS infrastructure with BIND9 refers to the deployment of a BIND9 (Berkeley Internet Name Domain) service within a private network to resolve hostnames to internal IP addresses.^[400-devops-06-kubernetes-k8s-paas-02-k8s.md] In the context of containerized environments like Kubernetes, this setup is critical because it enables service discovery and routing via domain names (e.g., for Ingress controllers) rather than relying on static /etc/hosts files on every container.^[400-devops-06-kubernetes-k8s-paas-02-k8s.md]

Deployment Architecture¶

In a typical enterprise deployment, the DNS server is hosted on a dedicated node within the internal network.^[400-devops-06-kubernetes-k8s-paas-02-k8s.md] For example, in a documented Kubernetes PaaS setup, the DNS service is deployed on hdss7-11 (IP 10.4.7.11) listening on port 53.^[400-devops-06-kubernetes-k8s-paas-02-k8s.md]

Configuration Overview¶

The BIND9 configuration typically involves two main configuration files: the main daemon configuration and the zone definitions.

Main Configuration (`/etc/named.conf`)¶

The main configuration file controls the global behavior of the DNS service.^[400-devops-06-kubernetes-k8s-paas-02-k8s.md] Key adjustments for an internal infrastructure include:

Listen Address: Set to the internal IP address (e.g., 10.4.7.11) rather than 127.0.0.1 to allow other machines to query the server^[400-devops-06-kubernetes-k8s-paas-02-k8s.md].
Query Allowance: Modified to any; to permit queries from any internal client^[400-devops-06-kubernetes-k8s-paas-02-k8s.md].
Forwarders: Configured to point to an upstream DNS (e.g., 10.4.7.254) to resolve external domain names^[400-devops-06-kubernetes-k8s-paas-02-k8s.md].
Security: DNSSEC validation is often disabled for internal simplicity (dnssec-validation no;)^[400-devops-06-kubernetes-k8s-paas-02-k8s.md].

Zone Definitions (`/etc/named.rfc1912.zones`)¶

This file defines the domains for which the server is authoritative.^[400-devops-06-kubernetes-k8s-paas-02-k8s.md] A common practice is to separate the host domain (infrastructure) from the business domain (services).^[400-devops-06-kubernetes-k8s-paas-02-k8s.md]

Host Domain (e.g., host.com): Used for resolving infrastructure node names (e.g., hdss7-11.host.com).
Business Domain (e.g., od.com): Used for resolving business services or applications running in the cluster.

DNS Records and Resolution¶

Zone data files (e.g., /var/named/host.com.zone) map hostnames to IP addresses^[400-devops-06-kubernetes-k8s-paas-02-k8s.md]. A standard configuration includes:

SOA Record: Defines the start of authority, including parameters like refresh intervals and expiry^[400-devops-06-kubernetes-k8s-paas-02-k8s.md].
NS Record: Designates the specific name server for the zone (e.g., dns.host.com)^[400-devops-06-kubernetes-k8s-paas-02-k8s.md].
A Records: Map specific hostnames (like HDSS7-11 or harbor) to their IP addresses^[400-devops-06-kubernetes-k8s-paas-02-k8s.md].
Serial Number: A timestamp-based serial (e.g., 2020011201) is used to track updates to the zone file^[400-devops-06-kubernetes-k8s-paas-02-k8s.md].

Once configured and the named service is started, tools like dig or ping can be used to verify that internal hosts resolve correctly to their private IPs^[400-devops-06-kubernetes-k8s-paas-02-k8s.md].

Network Integration¶

To ensure the entire network utilizes the new DNS, the DNS server's IP address (10.4.7.11) must be configured as the primary DNS server (DNS1) in the network interface configuration (e.g., /etc/sysconfig/network-scripts/ifcfg-eth0) on all other nodes^[400-devops-06-kubernetes-k8s-paas-02-k8s.md]. Additionally, the /etc/resolv.conf file can be configured with a search domain to allow the use of short hostnames (e.g., pinging hdss7-200 instead of the full FQDN)^[400-devops-06-kubernetes-k8s-paas-02-k8s.md].

Kubernetes
[[Network infrastructure]]
Ingress

Sources¶

^[400-devops-06-kubernetes-k8s-paas-02-k8s.md]