Internel Root servers

Scott Morizot tmorizot at ccsi.com
Tue Sep 7 19:16:55 UTC 1999


On Tue, 7 Sep 1999, Philip Wolfe wrote:
> I have recently joined an international company, remaining
> unnamed,which uses "forwarders" for its subdomain to resolve to the
> Internet.I would like to propose the implementation of Internal Root
> Servers,but
> have not done this before. Does anyone have a more comprehensive
> reference on this subject? I have the latest copy of "DNS and BIND"
> from O'Reilly, but would like more information.

The sort of DNS setup used internally is really tied
pretty closely to the sort of firewall configuration
used.  A forwarders setup is generally used with
a more "transparent" firewall.  One where internal
systems, once they resolve an external name to an address,
can generally get to the appropriate service and host
on the 'net.  SOCKS implementation are frequently associated
with this sort of firewall.  The approach tends to
be to allow all protocols not specifically denied.

Internal roots, on the other hand, are used in conjunction
with more opaque, typically proxy-based firewall configurations.
Protocols are disallowed unless specifically allowed.  Internal
systems cannot resolve and know nothing about hosts and
addresses on the Internet.  The way things are handled
can (and usually does) vary by protocol. 

While specifics vary, the key thing to keep in mind is that
forwarders and internal roots are mutually exclusive configurations.
A root server believes it is authoritative for anything
(either directly or with a delegation).  There is no
such thing as a better server (forwarder).  If your current
setup revolves around forwarders, a change to internal roots will
likely impact a lot more than just the DNS.

I don't know that there is any specific detailed reference
on internal roots.  I know there wasn't really when I was putting
together a design a couple of years ago.  But there is no
real mystery to it, either.  Root servers are authoritative
for the '.' zone instead of having a hints file for it.  Your
internal name servers use your internal roots in
their hints file instead of the standard 'net one.
Your roots will then delegate the forward and reverse
internal trees you will use.

---
Scott Morizot
tmorizot at ccsi.com
http://www.ccsi.com/~tmorizot/



More information about the bind-users mailing list