need Bind9 architecture advices

i need your advices for a DNS architecture.

This schema describes the DNS architecture as i think to build:

DNS architecture

In my company, every desktops/laptops are configured with DNS of the LAN (10.1.1.1), which is a Microsoft AD/DNS and i don't have the hand on it. Others DNS are Bind9 where i am admin. My purpose is to add other DNS servers for new projects (in a separated network) without change anything on laptops and on the LAN DNS and of course, i want developpers laptops (in LAN) can query and receive answer for fqdn of those new projects.

From DNS (fqdn) point of vue, there is ONE domain (project.com) and MANY sub-domains (subX.project.com). And each sub-domain is in a separated network.

Example: on each vlan, i will have a web server and i want it answers to its DNS sub-domain:

web.project.com  --> for the web server of the project zone.
web.sub1.project.com  --> for the web server of the sub-project zone
web.sub2.project.com ....

So, my understanding of Bind9 let me think that the LAN DNS server (10.1.1.1) can forward requests to the project DNS server (10.100.1.1). And project DNS can forward requests to sub-project DNS servers (10.200.1.1 / 10.250.1.1).

Endly, all VMs of a network, can resolve public fqdn if the zone DNS forward their requests to the upper level DNS. I just want to resaid that i don't have the hand on the main DNS (in the LAN).

Bellow, you will find the named.conf.options file which represents the architecture describes in the schema:

• DNS project.com (10.100.1.1/10.100.1.2)

{
    allow-query     { 127.0.0.1; 10.1.1.1; 10.1.1.2; 10.200.1.1; 10.200.1.2; 10.250.1.1; 10.250.1.2; 10.100.1.0/24; };
    recursion yes;
    notify yes;
    allow-transfer { 10.100.1.2; }; # the slave
    forwarders {
        10.1.1.1;
        10.1.1.2;
    };
}

• DNS sub1.project.com (10.200.1.1/10.200.1.2)

{
    allow-query     { 127.0.0.1; 10.100.1.1; 10.100.1.2; 10.200.1.0/24; }; queries from VMs in this network and DNS from upper zone
    recursion yes;
    notify yes;
    allow-transfer { 10.200.1.2; };
    forwarders {
        10.100.1.1;
        10.100.1.2;
    };
}

• DNS sub2.project.com (10.250.1.1/10.250.1.2)

{
    allow-query     { 127.0.0.1; 10.100.1.1; 10.100.1.2; 10.250.1.0/24; }; queries from VMs in this network and DNS from upper zone
    recursion yes;
    notify yes;
    allow-transfer { 10.250.1.2; };
    forwarders {
        10.100.1.1;
        10.100.1.2;
    };
}

What do you think about this architecture ? Do you see any drawbacks or mistakes or mis-understanding ?

Regards.

My purpose is to add other DNS servers for new projects (in a separated network) without change anything on laptops and on the LAN DNS and of course, i want developpers laptops (in LAN) can query and receive answer for fqdn of those new projects.

Just make your main DNS servers delegate, through NS records, a subdomain like project1.example.com to your nameservers, after which you control this zone (hence everything below). And the normal recursive behavior during name resolution will kick in without any specific configuration.

You seem to confuse recursive and authoritative roles of nameservers. These don't mix. You should avoid (while you technically can, with software like dnsmasq or even unbound) a server acting as recursive in general but authoritative for some names. Do proper delegations and have a meaningful tree, and you won't have any strange problems. You should avoid "forward" queries as much as possible.

Your set of examples of configuration just make a mesh of recursive nameservers, they are not authoritative on anything, so it is not the way to go. Do delegations.