1.6 KiB
1.6 KiB
ADR 004 - DNS
Date
- Feb/23/2026
- First documentation
Status
- Accepted
Context
- Private authoritative DNS is required to use private reserved root domain (.internal)
- Split horizon DNS needs DNS resolver, because authoritative DNS must not send queries to other DNS.
- Automatical issuing certificates needs private authoritative DNS which supports nsupdate (RFC 2136)
Consideration
Resolver DNS
- AdGuard Home
- More powerful query routing than blocky
- Web UI dependency
- Extra function which is not useful (DHCP, etc ..)
- Unbound DNS
- Cache and forward zone management is powerful
- more complex than blocky
- cache function is not that needed in this environment
- Internal authoritative DNS only takes charge of internal communication
- All security function is delegated to public DNS like cloudflare (DNSSEC, etc)
Decisions
- Operate BIND9 as authoritative DNS
- BIND9 is developed by ISC as de facto standard of authoritative DNS
- It supports nsupdate perfectly
- Use 2 forward zones
- ilnmors.com for split horizon DNS
- ilnmors.internal for internal DNS
- Uses 4 PTR zones
- Client vlan ipv4, v6 PTR zone
- Server vlan ipv4, v6 PTR zone
- Operate Blocky as resolver and cache DNS
- blocky set the configurations with one code file
- It supports query routing based on its domain - Split horizon DNS
Consequences
- Implementation of split horizon DNS
- ACME is available via nsupdate
- malicious DNS query is blocked in DNS level