53 lines
1.6 KiB
Markdown
53 lines
1.6 KiB
Markdown
# ADR 004 - DNS
|
|
|
|
## Date
|
|
|
|
- Feb/23/2026
|
|
- First documentation
|
|
|
|
|
|
## Status
|
|
|
|
- Accepted
|
|
|
|
## Context
|
|
|
|
- Private authoritative DNS is required to use private reserved root domain \(.internal\)
|
|
- Split horizon DNS needs DNS resolver, because authoritative DNS must not send queries to other DNS.
|
|
- Automatical issuing certificates needs private authoritative DNS which supports nsupdate \(RFC 2136\)
|
|
|
|
## Consideration
|
|
|
|
### Resolver DNS
|
|
- AdGuard Home
|
|
- More powerful query routing than blocky
|
|
- Web UI dependency
|
|
- Extra function which is not useful \(DHCP, etc ..\)
|
|
- Unbound DNS
|
|
- Cache and forward zone management is powerful
|
|
- more complex than blocky
|
|
- cache function is not that needed in this environment
|
|
- Internal authoritative DNS only takes charge of internal communication
|
|
- All security function is delegated to public DNS like cloudflare \(DNSSEC, etc\)
|
|
|
|
## Decisions
|
|
|
|
- Operate BIND9 as authoritative DNS
|
|
- BIND9 is developed by ISC as de facto standard of authoritative DNS
|
|
- It supports nsupdate perfectly
|
|
- Use 2 forward zones
|
|
- ilnmors.com for split horizon DNS
|
|
- ilnmors.internal for internal DNS
|
|
- Uses 4 PTR zones
|
|
- Client vlan ipv4, v6 PTR zone
|
|
- Server vlan ipv4, v6 PTR zone
|
|
- Operate Blocky as resolver and cache DNS
|
|
- blocky set the configurations with one code file
|
|
- It supports query routing based on its domain - Split horizon DNS
|
|
|
|
## Consequences
|
|
|
|
- Implementation of split horizon DNS
|
|
- ACME is available via nsupdate
|
|
- malicious DNS query is blocked in DNS level
|