1.0.0 Release IaaS
This commit is contained in:
@@ -0,0 +1,52 @@
|
||||
# ADR 004 - DNS
|
||||
|
||||
## Date
|
||||
|
||||
- Feb/23/2026
|
||||
- First documentation
|
||||
|
||||
|
||||
## Status
|
||||
|
||||
- Accepted
|
||||
|
||||
## Context
|
||||
|
||||
- Private authoritative DNS is required to use private reserved root domain \(.internal\)
|
||||
- Split horizon DNS needs DNS resolver, because authoritative DNS must not send queries to other DNS.
|
||||
- Automatical issuing certificates needs private authoritative DNS which supports nsupdate \(RFC 2136\)
|
||||
|
||||
## Consideration
|
||||
|
||||
### Resolver DNS
|
||||
- AdGuard Home
|
||||
- More powerful query routing than blocky
|
||||
- Web UI dependency
|
||||
- Extra function which is not useful \(DHCP, etc ..\)
|
||||
- Unbound DNS
|
||||
- Cache and forward zone management is powerful
|
||||
- more complex than blocky
|
||||
- cache function is not that needed in this environment
|
||||
- Internal authoritative DNS only takes charge of internal communication
|
||||
- All security function is delegated to public DNS like cloudflare \(DNSSEC, etc\)
|
||||
|
||||
## Decisions
|
||||
|
||||
- Operate BIND9 as authoritative DNS
|
||||
- BIND9 is developed by ISC as de facto standard of authoritative DNS
|
||||
- It supports nsupdate perfectly
|
||||
- Use 2 forward zones
|
||||
- ilnmors.com for split horizon DNS
|
||||
- ilnmors.internal for internal DNS
|
||||
- Uses 4 PTR zones
|
||||
- Client vlan ipv4, v6 PTR zone
|
||||
- Server vlan ipv4, v6 PTR zone
|
||||
- Operate Blocky as resolver and cache DNS
|
||||
- blocky set the configurations with one code file
|
||||
- It supports query routing based on its domain - Split horizon DNS
|
||||
|
||||
## Consequences
|
||||
|
||||
- Implementation of split horizon DNS
|
||||
- ACME is available via nsupdate
|
||||
- malicious DNS query is blocked in DNS level
|
||||
Reference in New Issue
Block a user