Cisco recommends dual DNS: public (external) and local (internal) DNS in order that Mobile and Remote Access can work more efficiently.
Pinpoint entries (a zone created for a single host only) as suggested by Cisco could be a solution, but our DNS server is authoritative for the parent domain, so this wouldn't work.
With the follwing setup and by using RPZ, jabber requests coming from the internet, are forwarded to Expressway-Edge and requests coming from the internal network are forwarded to Expressway-Core.
Public (External) Records needed:
_collab-edge._tls.example.com SRV 10 10 8443 expe1.example.com.Local (Internal) Records needed:
_cisco-uds._tcp.example.com SRV 10 10 8443 cucm1.example.com
_cuplogin._tcp.example.com SRV 10 10 8443 cup1.example.com
Cisco states that a client first searches for internal DNS records:
For example, Adam McKenzie's services domain is example.com when he starts the client. The client then issues the following query:
_cisco-uds._tcp.example.com
_cuplogin._tcp.example.com
_collab-edge._tls.example.com
We will be using RPZ, so that the client gets different DNS results depending on which DNS is using for recursion (Public or Private).
Our DNS server is authoritative for all our domains and recursive allowing queries only from internal network (allow-recursion { ournets; };).
First, create the RPZ zone file to your bind9 recursor. This is where all the overrides will be placed.
I copied the file from https://deteque.com/m3aawg-bind-training/ and modified it according to our needs.
db.rpz.local
$TTL 3600
@ IN SOA localhost. need.to.know.only. (
201702135 ; Serial number
60 ; Refresh every minute
60 ; Retry every minute
432000 ; Expire in 5 days
60 ) ; negative caching ttl 1 minute
IN NS LOCALHOST.
;_collab-edge._tls.example.com IN CNAME *. ; return NODATA for internal queries - Probably not needed
_cisco-uds._tcp.example.com SRV 10 10 8443 cucm1.example.com. ;internal only
_cuplogin._tcp.example.com SRV 10 10 8443 cup1.example.com. ;internal only
In my Debian Buster BIND configuration, I use seperate config files in named.conf:
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.log";
If you use a single config file, then put the following parts in the same file, usually named.conf.
Enable logging of RPZ requests, it is a goood thing to know what's going on:
named.conf.log
channel rpzlog {
file "/var/log/rpz.log" versions 14 size 1m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
category rpz { rpzlog; };
In your domain main zone file, among your other records, you have to add the following record.
This should be available publicly so that remote clients can access your Cisco Expressway Edge.
In my case, this zone is also transferred to our domain slaves.
example.com zone:
_collab-edge._tls SRV 10 10 8443 expe1.example.com. ; VCS Expressway or Cisco Expressway-E server
Then, add the zone in your config file:
named.conf.local
zone "rpz.local" {
type master;
file "db.rpz.local";
allow-update { none; };
allow-transfer { none; };
};
-----------
Finally, enable the Response Policy Zone:
named.conf.options:
response-policy {
zone "rpz.local";
};
Restart Bind and reload the zone
sudo /etc/init.d/bind9 restart
sudo rndc reload rpz.local
Do some tests from some clients and check the rpz.log file!
When querying locally for _cisco-uds._tcp.example.com, you should get a result and see some Local-Data rewrite for your queries.
When querying remotely for _cisco-uds._tcp.example.com, you should get no answer.
