Rev (Hidden Segment) Lookups in split environment
Kevin Darcy
kcd at daimlerchrysler.com
Tue Mar 20 00:38:23 UTC 2001
Yes, you could achieve the same effect with allow-recursion, I suppose, but
I think there's a significant danger of messing up the allow-recursion ACL's
and accidentally allowing recursion. It's pretty hard to screw up "recursion
no", and that's why I described the multiple-instance scenario as "best
practice". In our case, we host our external DNS on firewalls, so it makes a
lot of sense for us to have a "private" (listening only to loopback and the
internal interface), recursive instance of named in addition to the "public",
non-recursive instance. Note that completely non-recursive nameserver
instances, since they never cache anything, tend not experience any growth in
memory usage over time.
- Kevin
Thomas Duterme wrote:
> Thank you for the helpful reply.
>
> How about using bind's allow-recursion statement - > I allow
> the internal clients to have access and shut everyone else
> out. Would this effectively do the same thing and save the
> hassle of running another instance of named?
>
> Thanks,
> Thomas
>
> Kevin Darcy wrote:
> >
> > If you have recursion turned off, then resolvers can only get what's in
> > your cache and authoritative data. Best practice is for your public
> > nameserver to turn off recursion *completely* (options { recursion no;
> > ...) so that there's no possibility of anyone external getting internal
> > data out of your nameserver's cache. Of course, that means you can't use
> > that public nameserver to resolve any internal names. Typically, one
> > would therefore run a separate "private" instance of named to provide
> > resolution of internal names.
> >
> > - Kevin
> >
> > Thomas Duterme wrote:
> >
> > > Hello everyone,
> > >
> > > I'm running a split DNS setup for my office. On the
> > > external public IP nameservers, I want to map out the PTR
> > > records for the internal private IP segment. Note, most of
> > > those IP addresses are private IP, but I still don't want to
> > > advertise the network topology to anyone outside the company
> > > (keeping in line with my reasoning for a split IP
> > > architecture).
> > >
> > > My current external servers restrict zone transfers and
> > > recursive queries. Am I correct in thinking that foreign
> > > resolvers pointed to my external nameservers will NOT be
> > > able to lookup those PTR records?
> > >
> > > TIA,
> > > Thomas
More information about the bind-users
mailing list