Please help: Internal roots for all MX and Internet namespace for the rest of the DNS lookups?
Kevin Darcy
kcd at daimlerchrysler.com
Fri Oct 20 01:22:37 UTC 2000
We're set up almost identically to you, and that "proxyless access" requirement
really breaks the paradigm upon which such an architecture is built. The only
thing I can think of offhand is to modify the software/configuration of the
FTP/telnet/etc. clients, or the mail clients, so that they use different sets
of nameservers, or some other naming service completely, e.g. (shudder) NIS, or
(blech) /etc/hosts, or some set of rules to determine where to connect (this is
probably impractical for FTP/telnet/etc., but rule-based mail routing is fairly
common).
Personally, I'd try to dissuade anyone from offering "proxyless access" in the
first place. Is it really worth the cost and hassle of kludging up a perfectly
good internal-root-and-MX-based-routing architecture? And isn't proxyless
access inherently less secure anyway than proxied access? And what about the
default route issue? There can be only one default route. If you point that at
the Internet, what happens when you want to connect to half a dozen other B2B
"mini-Internet" supply-chain networks, and they all want "proxyless
access" because now you've set a precedent? You can't have the default route
point at *all* of them. So now you're in the routing-registry business. Yuck.
- Kevin
bandired at aatphones.com wrote:
> I have a set of Internal root servers and set of DNS servers outside the
> firewall to serve as our DNS servers for the Internet and also be the name
> servers for
> for a few our hosts that are allowed to talk directly to the Internet hosts.
> All our servers are running BIND 8.2.2.
> I have wildcard MX entries setup to send all e-mail destined to a domain
> other than our domain to go to an Internal mail gateway that relays it to
> the external
> mail gateway. All our internal clients are set up to use the proxy servers(
> which can query the Internet name space ) for http/ftp access. This set up
> works fine ... all e-mail is routed just the way we wanted it to and the web
> access works fine.
>
> The problem is that we need to allow all internal clients to be able to
> access the Internet namespace (for proxyless ftp/telnet etc through the
> firewall) for anything except MX queries which we still want to point to the
> internal mail gateway. I have forwarders set up on our internal root servers
> stupidly hoping that it would work contradicting itself...which obviously
> not.
>
> How do I set up my DNS structure to let all MX records to point to my
> internal mail gateway and still be able to do the rest of the Internet DNS
> lookups?
>
> Thanks
> Madhu
>
> Madhu Bandireddy
>
> Advanced American Telephones
>
> bandired at aatphones.com <mailto:bandired at aatphones.com>
>
> Phone: 973-461-2046
>
More information about the bind-users
mailing list