Bind9 on internal network.

Kevin Darcy kcd at daimlerchrysler.com
Mon Jun 25 23:13:11 UTC 2001


Ries van Twisk wrote:

> Hi,
>
> I have Bind9 running on my internal network. While I have a working situation
> I just need some more detail/examples/howto on running Bind9 on a internal
> network.
>
> My situation is like this.
> My ISP handles all external DNS querys. (for www and mail).
> My Internal DNS handles cashing and all internal hosts/print servers etc. etc.
> which are dynamcly assigned and updated using DHCP3.

Sounds like you probably need a split DNS. Just set up a regular master and
slaves internally. All of the external entries in your zone(s) need to be
maintained in your internal DNS in parallel with the external zone(s), if your
internal clients need to resolve those names. Then, in order for your internal
servers to be able to resolve Internet names outside of your own zones, either
a) open up your firewall(s) so that these servers can query Internet nameservers
(assuming that your networking/firewall infrastructure and/or security policies
allow this) or b) configure the internal servers to forward somewhere (presumably
to your ISP's nameservers) in order to resolve those names. To implement (a), all
you need to do is configure the internal servers with an Internet root hints
file. For (b), you should configure "forwarders" and "forward only" in your
servers' configurations.

Note that even if your internal servers can query Internet nameservers directly
for names, you may find (after extensive testing and verification of course) that
you can enhance query performance by forwarding to your ISP's nameservers. In
this case, configure the servers for forwarding, but specify "forward
first" instead, so that they will fall back to the other method in case your
forwarders are unavailable.

Another alternative to consider is putting your own forwarder in your
extranet/DMZ or using a firewall as a forwarder. In all cases, though, make sure
that the nameservers you use for resolving Internet names are only accessible
from internal clients (for the DMZ forwarder case, you could use "allow-query";
for a firewall-forwarder, an alternative would be to set "listen-on" to only
listen on the internal and/or loopback interfaces). Denying recursive nameservice
to external clients prevents certain Denial of Service attacks and certain forms
of DNS spoofing, as well as prevents people from mooching off your nameservers
for their name-resolution service.


- Kevin




More information about the bind-users mailing list