Split Brain DNS and forwarders (Can do in 8.2?)

Jim Ault aultj at dmgt01.crd.ge.com
Tue Jun 1 19:58:51 UTC 1999


We are in the process of replacing some older equipment with newer
equipment.  We are moving forward to the latest Bind, sendmail and
other applications as well.

While we are planning to duplicate the functions of each older machine as
closely as we can with the new machines, the version of BIND we run on
the older machine that serves as our internal DNS server and mail hub has
some custom BIND mods in it.    

Let's say we have a server NS.div.xyz.com that serves internal
addresses for hosts in 10.1.x.x .  It also has a cache of addresses of
other DNS servers it knows about in other parts of xyz.com.  It knows
that anything it has in cache, or anything it learns from servers in
that cache, it can ask DNS queries about directly (usually addresses
like 10.x.x.x).  But any hosts that are not in its cache, such as hosts
out on the internet like yahoo.com, it knows that it cannot ask DNS
queries directly, because it cannot receive the DNS answers via UDP
through our firewall.  So instead it forwards DNS requests for external
hosts to an external host that can make those requests and receive
them, and then return the DNS replies back (via special rules through
the firewall).  This server has a "split brain" in that it understands
that a certain group of nameservers can be queried directly, but other
servers must be queried through a forwarder. 

The external host (NSEX) is able to speak with hosts out on the
internet and is able to get answers from anywhere outside xyz.com, and
it is able to forward DNS answers that it gets back to "NS" the
internal hub through the firewall.

Now that we want to move forward to BIND 8.2, we have a quandary:

If we run our primary name server NS on an internal network, this machine
will not know how to get external names like yahoo.com, but it needs to
know that it can reach other divisions of xyz.com directly.

If we run our primary name server on an external network, it will be
able to reach all hosts on the internet, but it will not be able to
query other divisions of xyz.com directly, because it has an external
network address.  We also would like to avoid excessive DNS traffic
through our firewall. 

How close can we come to duplicating our existing split brain
functionality with BIND 8.2 on an internal DNS server running in tandem
with an external DNS server?

Jim Ault



More information about the bind-users mailing list