Split DNS, Firewalls, Forewarders, etc

Kevin Darcy kcd at daimlerchrysler.com
Fri Jan 21 21:38:59 UTC 2000


dave.goldsmith at intelsat.int wrote:

> A couple of questions regarding the 8.2, 8.2.2-P5 and the soon to be 9.X
> versions
>
> We have a split DNS setup. The 'official' world visible DNS server is in the
> DMZ in front of the firewall. It is world accessible and contains
> information only about the externally visible hosts.
>
> Behind the firewall, there is the 'unofficial' master and numerous slaves.
> They contain information about all the internal hosts.  Currently, all of
> the internal DNS server that receive queries from internal hosts are allowed
> to send DNS queries out to the world.
>
> We would like to have the internal DNS servers resolve queries for internal
> hosts for which they are authoritative and for other names external to the
> organization, the internal DNS servers should forward the request to the
> external DNS server in the DMZ.  That server should be the only one that
> send DNS requests out to the Internet.
>
> Is this currently possible with any of the 8.2 versions or do we need to
> wait for 9.x which indicates much greater support for this type of
> configuration.  Also, we do NOT want to run a DNS server on the firewall
> itself.

This is doable now. Just set global forwarding on the internal servers, and
make sure that all of them are master/slave/stub/forward for, at the very
least, the top-level zone of each internal domain, specifying "forwarders {};"
in each of the master/slave/stub zone definitions in order to disable
forwarding for any subzones of those zones.


- Kevin





More information about the bind-users mailing list