Internal DNS / External DNS

Kevin Darcy kcd at daimlerchrysler.com
Tue Oct 17 19:20:15 UTC 2000


Why not just propagate the reverse zone to the DMZ via forward/slave/stub? You can put ACL's on the
zone to prevent prying eyes from seeing it, and even if that failed, presumably a cracker wouldn't gain
much by learning about nodes in a private address space behind a firewall.


- Kevin
Kubon, Marcus wrote:

> Hi everybody,
>
> in our company, we use 2 DNS-Servers, one for the internal Network and one official
> DNS Server. If somebody from our internal network is communicating with a system
> in the DMZ, some DMZ-machines do a reversal lookup asking our official DNS.
> In our official DNS, the internal hosts were certainly not configured.
> So he sends a DNS lookup to the internet. And this causes a time delay.
> My idea was to configure a primary xxx.xxx.inaddr-arpa zone   (xxx.xxx is the internal Network)
> on this DNS with an empty zonefile. (our internal network is a part of the private address space)
> Our internal DNS has of course the same xxx.xxx.inaddr-arpa file, but filled with our internal hosts
> He uses our official DNS as a forwarder for DNS lookups outside the company.
>
> To summarize:
> I want to configure the internal net on our external DNS with an empty zonefile. Both, the
> internal and the external DNS were primary DNS for this zone and the internal DNS uses
> the external DNS as a forwarder.
>
> Do you expect any problems or do you hv a different configuration proposal for my problem ?
>
> Thanks
>
> Marcus






More information about the bind-users mailing list