DNS External/Internal Shadow Domains?

Joseph S D Yao jsdy at cospo.osis.gov
Sat Nov 13 00:18:00 UTC 1999

On Fri, Nov 12, 1999 at 01:56:38PM -0700, Cricket Liu wrote:
> > Kevin was talking about EXTERNAL zones, though, so it is perfectly
> > appropriate for the firewall to use the Internet roots!
> What are you talking about?  Kevin was talking about an internal DNS
> architecture based on internal root name servers that allowed you to
> resolve both internal and Internet domain names.
> Also, the model you describe, using zones of type forward, doesn't give you
> iterative name resolution of internal domain names, which is part of what
> Kevin was trying to achieve.

As I understood it, Kevin wanted internal roots, but to forward to the
firewalls to resolve all non-internal domains.  My understanding of your
objection to forwarding to firewalls was that they would use external
roots.  I may be wrong.

Why doesn't it give iterative resolution of internal domain names?
Perhaps I assumed a different common base from you.  My assumption was a
"hints" zone that contained internal roots, the option to forward only
to the firewall, which was turned OFF for internal zones.  I know that
you have mentioned that different versions of 8.2 have handled this
differently ... but with this model, ISTM that the resolution of
internal zones would be handled by a miniature version of the same
process that happens on the Internet.  All other zones would be
forwarded to the next-up name server or handled without forwarding.

I have not tried this with an internal "." root, but with an internal
"master" name server that forwarded all unresolved queries to the
firewall.  To make sure it worked, though, I had two ways of doing
everything, which made this more work but less sensitive to changes
between versions.

Joe Yao				jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support					EMT-B

More information about the bind-users mailing list