001 - Use BIND DNS for device name resolution
Date: 2020-05-14
Status
✅ Accepted
Context
Staff devices e.g. laptops and desktops connected to our network will need DNS or Domain Naming Services to lookup internal and external resources e.g. www.google.com. DNS requests not resolved internally will be forwarded to the National Cyber Security Centre (NCSC) Protective DNS PDNS where requests to sites known to be hosting malware, ransomware and spyware will be blocked.
There is a requirement that this service is able to automatically scale (both up and down) to cope with varying load levels during the course of the day.
There is a limitation around using the fully managed AWS Route53 DNS service as it does not support DNS forwarding.
Dec 2021 Update Route53 can now forward DNS requests e.g. PDNS
Decision
- We have decided to use ISC (Internet Systems Consortium) BIND (Berkeley Internet Name Domain) for our DNS (Domain Name System)
- BIND is the industry standard software for running DNS servers. It is open source and easily installed using package managers. It can be containerised and can fit into the many hosting options within MoJ.
Consequences
General consequences
- we will need to run our own infrastructure rather than using a managed DNS service, due limitations in the managed Route53 service with forwarding requests.
since the BIND9 DNS service has no user interface, we will need to provide a way for onsite support engineers to add new Zones to the service.
Advantages
BIND9 DNS service is flexible and can adapt to requirements if needed.
Disadvantages
- need to build, operate and maintain the service somewhere