Split DNS, Firewalls, Forewarders, etc

[Kevin Darcy]

No, "forwarders only" is a little bit of a misnomer: a server won't forward if
it's authoritative for the answer or the answer is in its cache.


- Kevin

dave.goldsmith at intelsat.int wrote:

> If I do that, won't it make the internal DNS servers 'forwarders' only ...
> thus meaning that request from an internal client to the internal DNS server
> for an internal name would get forwarded out to the external DNS server
> (which does not have the information)?
>
> Dave Goldsmith
>
> -----Original Message-----
> From: Barry Margolin [mailto:barmar at bbnplanet.com]
> Sent: Friday, January 21, 2000 4:53 PM
> To: comp-protocols-dns-bind at moderators.uu.net
> Subject: Re: Split DNS, Firewalls, Forewarders, etc
>
> In article <490B4C213EC8D211851F00105A29CA5ADD14C5 at admex1.adm.intelsat.int>,
>  <dave.goldsmith at intelsat.int> wrote:
> >We would like to have the internal DNS servers resolve queries for internal
> >hosts for which they are authoritative and for other names external to the
> >organization, the internal DNS servers should forward the request to the
> >external DNS server in the DMZ.  That server should be the only one that
> >send DNS requests out to the Internet.
> >
> >Is this currently possible with any of the 8.2 versions or do we need to
> >wait for 9.x which indicates much greater support for this type of
> >configuration.  Also, we do NOT want to run a DNS server on the firewall
> >itself.
>
> This is possible with 8.2 (and even with 4.x).  Just configure:
>
> options {
>   forwarders { <address of DMZ server>; };
>   forward only;
> };
>
> and configure your firewall to allow outbound DNS queries only to the DMZ
> server.
>
> --
> Barry Margolin, barmar at bbnplanet.com
> GTE Internetworking, Powered by BBN, Burlington, MA
> *** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
> Please DON'T copy followups to me -- I'll assume it wasn't posted to the
> group.