DNS¶

Official DNS¶

We’re running our own authoritative ISC BIND DNS servers for several zones, but we try to keep the high-level DNS architecture as simple as possible.

Since the DNS servers will resolve internal, and external DNS queries, we’re using views to respond differently based on the source IP address. Check out the «Views» documentation for more information.

Please also note, we’re using DNSSEC for all hosted zones.

Note

The deployment, and an extensive documentation for our DNS servers can be found in the GitLab DNS project.

Office DNS¶

There’s also a DNS server running on the UniFi Security Gateway.

The DNS server will automatically resolve all clients with a configured static IP addresses in the UniFi Cloud Key to {client}.office.confirm.ch. This is achieved via a self-developed Python script running on the gateway itself.

All remaining queries will be resolved by the Official DNS, as described in the DNS architecture.

DNS hostnames¶

The hostnames of our servers can be found in the Ansible project.

However, as described in the DNS project, most of the servers have two separate interfaces, which can be looked up via DNS like this:

*.lan.confirm.ch: LAN interface w/ a private IP address
*.wan.confirm.ch: WAN interface w/ a public IP address

Note

The DNS hostnames for our servers are automatically registered via nsupdate by Ansible, resp. the dns_* playbooks.

DNS wildcard domains¶

To enable fast deployments via 🐳 Docker to the dedicated Environments, we’ve several DNS wildcard domains as descrbied in the Wildcard domains chapter.