Adding a domain with a large amount of subdomains

Hi

I have a domain with a large amount of subdomains, all of the machines have different pusposes/locations/etc.
The subdomain list is BIG, there are also DNS/machines that should NOT be publically visible.

I have a few questions before I proceed as this is fully live domain (mail/dns/www/nagios/gateways/firewalls/etc)

I want Cloudfare ONLY to look after the MAIN webserver of the domain which is “www.barrett.com.au” and “barrett.com.au”, nothing else.

When I start adding barrett.com.au as a site the Cloudfare adding mechanism comes up with SOME of the subdomains (which in fact are single computers), some of them shouldn’t be looked after, as they do not need caching/etc. The addon mechanism also MISSES a lot of the subdomains.

What happens to the other subdomains/machines?

Do I have to still provide the DNS for the other subdomains and as such have to add my nameserver to the registrars nameservers AFTER the cloudfare ones?

Sorry, I tried to find the answer to this in the docs, but couldnt, but might have searched the wrong search terms …

Do you have an option to export your DNS zone from your host/origin?

Cloudflare has an option to import DNS records. If you can get them in BIND format, you can easily import them, this article below has the more details:

Mmmhh, that doesnt answer my question directly, but I can see hat I have a problem and I am not sure how to solve it.

2/3 of my DNS are internal rules, 1/3 external (as in bind internal/external)
I can stop people geting access or even finding out about certain ip addresses just by rules I can configure in named.conf.

Also I have been having a rather happy time with one of my BIND servers at the edge of my LAN, so 2/3 of the queries are “instant” and never leave the network, a lot of the queries are 192. and 172.16.

I see the issue is the nameserver delegation and it seems impossible for Cloudfare only to look after PARTs of my domain, i.e. the external ip addresses, this sucks a bit.

What you are looking for is a CNAME setup.

With a CNAME setup, you enter just the DNS records you plan on managing with Cloudflare (setting them :orange:), and in your authorative DNS you create a CNAME like:
www IN CNAME www.example.com.cdn.cloudflare.net

You cannot do a CNAME setup with the root because the DNS protocol does not permit a CNAME at the root of a zone.

While officially not supported for the naked root, you can just enter A/AAAA records in your authorative nameservers with the same Cloudflare IP addresses you end up using for www. It works fine, and all you are probably looking for is a page rule to redirect from example.com to www.example.com (as this is what you currently do).

I do not think that Secondary DNS, with Secondary DNS Override would meet your requirement, as it sounds like you are using views in BIND, and I do not believe that functionality is available.

Cloudflares onboarding wizard uses a list of common records, and attempts to import them from your existing nameservers. Things like www and your MX values are simple, but they could not know you have a web server called piquet.barrett.com.au, so that would be missed by the setup tool. Importing the Bind zone file is generally a better idea.

I’m not really sure what the real risk is of having RFC 1918 addresses in public DNS. If an attacker can actually do anything with the results, then you have a real problem. Doing split horizon to “fix” the issue is a bigger pain than its worth. If you really need separation, use a subdomain for the private stuff, (so create a delegation for corp.example.com which can point at private IP addresses)

Are you using the same Bind servers as authoritative and recursive? Generally not recommended. But if your internal users use the recursive cache, there would not be much difference.

Cloudflare limits the maximum number of DNS records per zone.

  • 3,500 for paid plans
  • 1,000 for free domains

The bind import is limited to 200 records at a time, but you can just split the file and import the parts.

3 Likes

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.