Split Brain DNS and forwarders (Can do in 8.2?)

[Joseph S D Yao]

> Let's say we have a server NS.div.xyz.com that serves internal
> addresses for hosts in 10.1.x.x .  It also has a cache of addresses of
> other DNS servers it knows about in other parts of xyz.com.  It knows
> that anything it has in cache, or anything it learns from servers in
> that cache, it can ask DNS queries about directly (usually addresses
> like 10.x.x.x).  But any hosts that are not in its cache, such as hosts
> out on the internet like yahoo.com, it knows that it cannot ask DNS
> queries directly, because it cannot receive the DNS answers via UDP
> through our firewall.  So instead it forwards DNS requests for external
> hosts to an external host that can make those requests and receive
> them, and then return the DNS replies back (via special rules through
> the firewall).  This server has a "split brain" in that it understands
> that a certain group of nameservers can be queried directly, but other
> servers must be queried through a forwarder. 
> 
> The external host (NSEX) is able to speak with hosts out on the
> internet and is able to get answers from anywhere outside xyz.com, and
> it is able to forward DNS answers that it gets back to "NS" the
> internal hub through the firewall.
> 
> Now that we want to move forward to BIND 8.2, we have a quandary:
> 
> If we run our primary name server NS on an internal network, this machine
> will not know how to get external names like yahoo.com, but it needs to
> know that it can reach other divisions of xyz.com directly.
> 
> If we run our primary name server on an external network, it will be
> able to reach all hosts on the internet, but it will not be able to
> query other divisions of xyz.com directly, because it has an external
> network address.  We also would like to avoid excessive DNS traffic
> through our firewall. 
> 
> How close can we come to duplicating our existing split brain
> functionality with BIND 8.2 on an internal DNS server running in tandem
> with an external DNS server?

Extremely closely.  You are far from the only person wanting to do this
kind of thing.

For split brain, investigate the use of option "listen-on" and two
separate configuration files for two separate DNS servers on the same
firewall bastion host.

For access to all internal "xyz.com" sub-domains, you can still declare
the sub-domain servers in the "xyz.com" domain.  Of course, if your
internal domains aren't all "xyz.com" domains [as the reverse DNS
domains aren't], you can use "forward" zones to point to their name
servers.

All of this is in the Third Edition of Albitz & Liu's "BIND and DNS",
except for forward zones, which are so new that the only documentation
is in the BIND 8.2 on-line docs.  The good news is that the ISCvolken
made a serious attempt to upgrade their documentation for this release.

Hope this helps.  Research these and see whether they will fit your
needs.

--
Joe Yao				jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support					EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.