dns configure problem

Joseph S D Yao jsdy at cospo.osis.gov
Wed Sep 8 21:24:04 UTC 1999


> I have a couple of quick questions first:
> 	1)  where should an MX record point to (A, CNAME)?   I ask because in
> our old setup, which works correctly, the MX record points to a CNAME,
> however, I have heard that it should point to an A record.

Always an A record.  Never a CNAME.

> 	2)  can you not have more than one CNAME record per zone?  (or, is that
> a bad idea?  Again, just what I have heard)

Gazillions.  What are you using them for?  That's the rub.

> 	3)  Since I am using the same DNS server for internal and external, how
> should I go about setting this up?  I.E, what are the security
> implications of allowing queries and transfers?  ALSO, would I create
> two zones (one for the external IP address and one for the internal IP
> address)?  

You need to somehow do "split DNS".  I'm not sure how that will work in
your setup.  Or you will need a SEPARATE internal name server.  This is
because you (a) don't want to broadcast internal addresses to the
Internet, and (b) want to have an INTERNAL "MX" record pointing to your
internal mail server, as opposed to the external one pointing to your
Exchange server on the border.  (You don't say you have an internal
mail server, but if mail sitting in your border mail server is bad, I
assume it's supposed to go somewhere.)  This is not just "two zones".
It's two different views of the same zone.

The mail server should get its DNS from the internal name server, of
course.  That way, it can get information on the internal setup.  The
internal name server should forward (forward-only) all queries that it
can't resolve to the external name server, which can query the
Internet.

Queries and transfers?  If the internal name server is on a border
system [;-(], then you should limit queries to the inside.  Otherwise,
no particular limits.  Some people are paranoid about allowing zone
transfers.  Some subset of those people have reason to be.  You have to
decide what you have to protect in the name server, and from whom.

> 	MAN-GILL.COM.DB
> ; ***********************************************************
> ; * This file is auto-generated.  It may be edited by hand, 
> ; * but comments and formatting will not be preserved.      
> ; * It forward-maps the man-gill.com domain. 
> ; ***********************************************************

What auto-generates these files?  What keeps you from plugging in
"predict-dli" instead of "man-gill" into the automatic generator?

--
Joe Yao				jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support					EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.


More information about the bind-users mailing list