Split DNS setup

[Kevin Darcy]

No offense, but I think you're a little confused here. The server in the
DMZ that you're using for forwarding doesn't need to be a
"registered" anything. In fact it doesn't need to *serve* any zones at all;
it could be a caching-only server. All it needs to be able to do is resolve
Internet names on behalf of internal machines.

Now, if you want to run a so-called "shadow" namespace externally, you could
run it on the same machine as the forwarder, either as a separate nameserver
instance or the same one. One of the benefits of separating the functions is
that it allows you easily turn off recursion on the external primary, which
you may want to do to prevent certain denial-of-service attacks. At the same
time, you would leave recursion enabled on your forwarder, but limit it to
only answering queries from internal clients. Sure, with a sufficiently
up-to-date version of BIND you can do all of this with one instance (since
per-zone query and recursion restrictions are now implemented), but the
configuration is messy and it may be more maintainable as two separate
machines or nameserver instances.

So, given that the external primary doesn't even need to talk to the internal
primary, or even run on the same box as the internal primary's forwarder,
your question about the consequences of running 2 primary servers doesn't
make a whole lot of sense. Yes, they are both "primary" for the same zone,
but they serve different client communities and don't even need to talk to
each other. Even if they do talk to each other, the internal box would only
be forwarding queries that are *outside* the internally-defined zones, so it
would be completely oblivious to the fact that its forwarder was also
configured as primary for those zones -- this fact would never come up in the
conversation.


- Kevin

Jeff Kennedy wrote:

> Ok, noone replied to this so after much more digging I am asking for
> verification and one point of clarification.
>
> As I understand it, I need to run an un-registered primary dns server
> inside my firewall with all my hosts listed for internal lookups.  All
> of the internal people will query this server first, if not resolved (ie
> if it's an internet host they're looking for) it will forward the query
> to a registered primary on the dmz using the forward statement.  This
> server will have a stripped down version of the internal dns table and
> will answer internet host queries for internal people (external as well
> I guess).
> The server on the Sprint network will be a registered slave of the
> registered primary on AT&T.
>
> The above is the setup for which I would like verification.  Following
> is what I would like clarification on;
>
> What are the consequences of running 2 primary servers?  Since they are
> seperated by a firewall I assume that only allowing forwards from the
> internal to external will keep the rest of the world from having issues
> but what about these 2 servers in particular?  Is there any other
> communcation between these 2 that is passed by forwarding?
>
> Thanks.
>
> ~JK
>
> Jeff Kennedy wrote:
> >
> > Greetings all,
> >
> > I don't know if that's even the correct description for what I want
> > .....
> >
> > My setup is the following:
> >
> > 2 ISP's - AT&T and Sprint.  All dns is done in-house (locally).
> >
> > One primary dns server on AT&T network (firewall) and one slave internal
> > on AT&T
> > All servers on Sprint point to primary for dns (so they go across the
> > internet for dns lookups and resolution).
> > I have only one zone for the domain (both networks are under
> > mydomain.com)
> >
> > I want to have a slave on Sprint that only broadcasts the servers on
> > Sprint.  I have the cricket book, 3rd edition, but am not sure what I'm
> > looking for.
> >
> > Here is my best guess at the moment:
> >
> > I need to setup a slave on the Sprint network and restrict zone
> > transfers for this machine on the primary to just the files I want it to
> > broadcast.  But if I have only one zone how do I restrict part of a
> > zone?  I know this is not the ideal setup but for now I have to deal
> > with it.
> >
> > Eventually I would like to move the primary server internal and have a
> > slave on the dmz and Sprint that only broadcast a limited name space.
> >
> > Thanks.
> >
> > --
> >
> > ===================
> > Jeff Kennedy
> > UNIX Administrator
> > AMCC
> > jkennedy at amcc.com
>
> --
>
> ===================
> Jeff Kennedy
> UNIX Administrator
> AMCC
> jkennedy at amcc.com