Bind9 resolve .local domain

1 minute read

Forwarding DNS requests for .local domain with Bind 9

First of all: Yes, I’m fully aware of the fact that you shouldn’t use local as a TLD since it’s used by mDNS.

However the default domain name for a Kubernetes cluster is cluster.local. You could blame me for sticking with the default, but that’s how it is…

The edge case I’m facing is that I want to access a Redis master as a slave for replication. This master is running on a k8s cluster and therefore has a name that is something like this:

<pod>.<namespace>.svc.cluster.local

Since I have a VPN connection to the k8s cluster the idea was to setup my local Bind to forward the requests to the CoreDNS running on the cluster.

Basically this is quite simple. You have to put a new forwarding zone in your named.conf or named.conf.local

zone "cluster.local" {
    type forward;
    forward only;
    forwarders { 10.96.0.10; };
};

The IP address above is the one that is assigned to your CoreDNS service on your k8s cluster. Keep in mind that you need to use cluster.local as the zone name, because this is the name of the zone defined in the cluster’s DNS. You’ll get error messages if they don’t match.

In case of a configured DNSSEC validation for your local Bind server you have to adjust some more options in named.conf.options.

You need to add dnssec-must-be-secure cluster.local no; to disable DNSSEC validation for the zone cluster.local. Additionally I needed to change dnssec-validation auto; to dnssec-validation yes; as mentioned on Stackoverflow.

Now everything works fine for me… :)