internal/external IPs and DNS

Kevin Darcy kcd at daimlerchrysler.com
Mon Dec 18 23:59:16 UTC 2000


Joseph S D Yao wrote:

> On Sun, Dec 17, 2000 at 08:40:24PM +0000, Daniel Flesner wrote:
> > is it okay to place my internal machines and there 10.x.x.x numbers on
> > my external DNS machine. i only have one server machine and was wishing
> > to use it for both internal and external address resolution. this won't
> > cause any conflicts with other external networks will it?
> >
> > thanks for any help (amateur sys adm!),
>
> You should not.
>
> Use two name servers - one for internal, and one for external.

Split DNS, in other words. Of course, this doesn't necessarily imply that
one needs two nameserver *boxes*, only two nameserver *instances*, and with
BIND 9's "view" mechanism, even that is not strictly necessary. In the case
of two nameserver instances on one machine, if the box has only one physical
interface, with most OS'es it would be possible to configure a "virtual" one
for the other instance to listen on.

Actually, split DNS isn't strictly necessary in this situation at all. It
would be OK to use a single nameserver instance and single "view", as long
as external clients were not permitted to query the internal names.
Unfortunately, allow-query only works, at its finest granularity, on a
zone-by-zone basis. So this means grouping internal names and/or external
names, into one or more subdomains and/or delegating _individual_ names as
zones. This can get really ugly really fast. Another advantage of going the
split DNS route is that in that case, outsiders don't even see the
delegations, so they don't see, for example, a delegation for
"internal.example.com". Arguably this makes potential crackers less curious
and your DNS less likely to be attacked. Yes, it's the old
security-by-obscurity bugaboo yet again...


- Kevin




More information about the bind-users mailing list