Forwarding from Internal DNS server.

union union at icon.co.za
Thu Feb 3 12:15:34 UTC 2000


Hi Kevin, Jim

Thanks for your replies.

With my original forwarding question, Would it help if I upgrade my version
of bind to 8.x.x and create a "view" to forward on NXDOMAIN to my ISP's DNS,
from my internal root server???

union at icon.co.za

Kevin Darcy <kcd at daimlerchrysler.com> wrote in message
news:389744A6.86727B48 at daimlerchrysler.com...
> Jim Reid wrote:
>
> > >>>>> ">" == union  <union at icon.co.za> writes:
> >
> >     >> Hi, What I would like to try and get right is get my internal
> >     >> root server to forward all unresolved queries to my ISP's DNS
> >     >> system.
> >
> > By definition a root server cannot have any unresolved queries because
> > it knows definitively what's in the root zone. Any names that are not
> > in that root domain simply don't exist. So your internal root will be
> > in its own self-contained name space, well away from the internet name
> > space. [Perhaps per-zone forwarding for every Internet TLD might work
> > with BIND8.2, but setting that up and maintaining it would be a
> > nightmare. I wouldn't like to try it.]
> >
> > So if you want to resolve external names, you need to use other name
> > servers which use the internet's name space. Getting your firewalls to
> > do run those servers is probably the best approach. This still doesn't
> > solve your problem. You'll need proxy servers to handle things like
> > access to Internet web servers. These will have to use the firewall
> > name servers to resolve external names. The firewall name servers will
> > also need to resolve your internal names - the internal top-level
> > domains - so that these proxies can also resolve names and addresses
> > on the intranet.
> >
> > As for mail, you will probably have to configure your internal mail
> > systems to recognise non-local domain names in addresses and forward
> > those messages to a smart system which can deliver to the outside them
> > via the firewalls.
>
> I thought the point of the exercise was to try and send mail out a
> "nearby" Internet connection whenever possible; sending everything to a
> "smart" system would seem to mostly defeat that purpose, since by the
> time the "smart" system has figured out how best to send out the message,
> it's already travelled across the WAN, and might have to travel even
> further across it to get to the closest firewall.
>
> If the network topology lends itself to this approach, maybe a big
> round-robin with "sortlist" games might be a better way to go (????).
>
> Or just bite the bullet and maintain multiple, location-specific mail
> configurations...
>
>
> - Kevin
>
>
>
>





More information about the bind-users mailing list