Newbie - config questions

Bryan Tonnet batonnet at
Wed Mar 1 00:10:26 UTC 2000

> Seems reasonable to me, as far as it goes. The interesting part,
> however, is how you set up the authority for the company domain.
> Both your internal BIND server and the primary at the ISP should
> be primaries for that, but with different zone contents.

I see.  From what you say below, however, the internal BIND should
contain all known addresses (real or IP masqueraded), whilst the ISP has
only the subset of 'real' addresses?
> That's more of an administrative rather than technical issue.
> Personally, I prefer to have full control over my domain, so I would
> always make my own server the primary and have the ISP's servers as
> secondaries. But if it is more practical for you to have your zone
> files maintained by your ISP, that's ok too.

Hmmm.  I wondered about this.  Two things I don't understand.

If I make an internal machine the primary, and ask the ISP to secondary
the zone, how do I stop the 192.168.x.y addresses from being xfer-ed up
to the ISP.

Which machine would be my primary?  An internal machine would be IP
masqueraded, and not accessible from the ISP's secondary BIND, and a
perimeter net machine might be more vulnerable to attack.  Or am I being
too paranoid on this latter point?

> You have to duplicate your entire externally visible domain on your
> internal nameserver. If the internal nameserver is configured as
> authoritative for the domain then it will return NXDOMAIN for any
> name it cannot find in that domain. It will *never* forward queries
> for that zone to a forwarder.

Yes, that makes sense, I hadn't considered that.  What I meant however,
was the domain by itself.  e.g. nslookup from outside
resolves to our gateway machine, but the same from internal gets an
immediate error.  I've tried A and CNAME records to avail.

Thanks in advance

Bryan Tonnet
bryan at

More information about the bind-users mailing list