DNS External/Internal Shadow Domains?

Cricket Liu cricket at acmebw.com
Sat Nov 13 01:53:21 UTC 1999

> As I understood it, Kevin wanted internal roots, but to forward to the
> firewalls to resolve all non-internal domains.  My understanding of your
> objection to forwarding to firewalls was that they would use external
> roots.  I may be wrong.

First of all, Kevin didn't want anything.  He wasn't the original poster,
and was just proposing a solution that he'd come up with.

You've got my objection basically right, if I interpret the antecedent of
"they" as "arbitrary internal name servers."  Yes, my objection is that,
in this setup, arbitrary internal name servers never end up with the list
of internal root name servers, so they don't use the internal roots.  So
what good does setting up internal roots do?

> Why doesn't it give iterative resolution of internal domain names?
> Perhaps I assumed a different common base from you.  My assumption was a
> "hints" zone that contained internal roots, the option to forward only
> to the firewall, which was turned OFF for internal zones.  I know that
> you have mentioned that different versions of 8.2 have handled this
> differently ... but with this model, ISTM that the resolution of
> internal zones would be handled by a miniature version of the same
> process that happens on the Internet.  All other zones would be
> forwarded to the next-up name server or handled without forwarding.

Resolving internal domain names iteratively *can* work, but it's not as
simple as you might think.  Since you're not using the internal root name
servers, you don't have a list of name servers to work from, so you can't
just say:

zone "internal.zone" {
    type forward;
    forwarders {};

on an arbitrary internal name server.  If you did, and your name server
received a query in internal.zone, it'd have nowhere to start (it wouldn't
know which name server to query).

> I have not tried this with an internal "." root, but with an internal
> "master" name server that forwarded all unresolved queries to the
> firewall.  To make sure it worked, though, I had two ways of doing
> everything, which made this more work but less sensitive to changes
> between versions.

It works without internal roots.  It doesn't work with them.


Acme Byte & Wire
cricket at acmebw.com

Attend the next Internet Software Consortium/Acme Byte & Wire
DNS and BIND class!  See www.acmebw.com/training.htm for
the schedule and to register for upcoming classes.

More information about the bind-users mailing list