Split Domain

Mathias Körber mathias at koerber.org
Mon Oct 23 02:19:33 UTC 2000


I don't think BIND-9 will solve his basic problem:
	a) not being admin of the outside copy of his zone
	b) wanting to 'augment' that outside copy with his own
	   internal data

BIND-9 will make this type of setup easier, but it will not solve
the basic problem that the inside view will also have to
include all the outside data, ie views can decide which copy
of a zone to server, or where to forward for a specific
client, but not that if one side responds NXDOMAIN another
nameserver (or copy of the zone) is consulted for a second try.

Unless I missed something that is.. (If I did and this is possible,
I'd like a hint !)

So whether he used BIND-8 or BIND-9 he will end up having to incorporate
data from the outside copy of his zone into his inside copy..

regards

> -----Original Message-----
> From: news at front7.grolier.fr [mailto:news at front7.grolier.fr]On Behalf =
Of
> Frederic Faure
> Sent: Monday, October 23, 2000 06:28
> To: comp-protocols-dns-bind at moderators.isc.org
> Subject: Re: Split Domain
>=20
>=20
> On 22 Oct 2000 14:00:28 -0700, Peter Koenig <Peter.Koenig at ch.tum.de>
> wrote:
> >we have a quite particular setup:
>=20
> Indeed, the right way to do this is to use BIND 9's view feature. I
> don't like the idea of using BIND 8's solution of two NICs on your
> DNS, with two instances of BIND running, each using a different
> version of your zone files (private/public), and each NIC listening to
> only one NIC. IMHO, all connections should go through your firewall.
>=20
> If you'd rather wait until BIND 9 is final, and (important) provided
> your public hosts are located in the public network (in front of the
> firewall), then you only need to copy/paste all public hosts records
> into your private DNS so that both public and private hosts are
> resolved by our private DNS.
>=20
> The reason being that if your private DNS says it is authoritative for
> adomain.com and its sub-zones, it will not query the public DNS at
> your ISP if it cannot resolve a name for those zones (authoritative =
=3D
> I am the authority for this zone.)
>=20
> //Public DNS at ISP
> www.adomain.com A <public IP address>
> mail.adepartment.adomain.com A <public IP address>
>=20
> //Private DNS behind firewall=20
> //Include both public and private hosts
> www.adomain.com A <public IP address>
> mail.adepartment.adomain.com <public IP address>
> myprivatehost.adepartment.adomain.com <private IP address>
>=20
> The fake example above assumes that the public hosts are indeed
> located in front of the firewall, in the public network.=20
>=20
> If they're located in the _private_ network (ie. you set up static
> mapping on your firewall so they can be reached from the Net through
> the firewall), then you must use their _private_ IP address on your
> private DNS; otherwise private hosts won't be able to reach them since
> those servers are physically located in the private network.
>=20
> In practice, unless changes often occur in your public network, this
> copy/paste is actually a one-shot thing.
>=20
> For more infos on how to set up DNSservers if you have a firewall in
> your LAN (as you should), please check the archives at www.deja.com
> for the long thread we had a couple of weeks ago.
>=20
> Viel Gl=FCck,
> FF.
>=20
>=20




More information about the bind-users mailing list