Any Advice?

Kevin Darcy kcd at
Tue Mar 20 22:20:51 UTC 2001

One big thing you left out is whether you have a requirement for your internal
clients to be able to resolve Internet names or not. If your firewalls are
proxy-type firewalls, you may have no such requirement. In that case, I'd
recommend setting up an internal-root architecture and not forwarding at all.
Your internal and external DNS would essentially be isolated from one another.
But then, you have to configure your firewalls specially so that they have a
view of *both* DNS "universes" (I accomplish this by running
"private" nameserver instances on the firewalls which can resolve both internal
and external names).

Assuming that you *do* have a resolve-Internet-names-internally requirement,
however, and further assuming that you don't want to open up Internet
DNS access to *all* of your internal nameservers, then you'll have to set up
forwarding. Use "forward only" in this case, rather than the default "forward
first", since you don't want your nameservers wasting resources trying to use
Internet root nameservers if queries to their forwarders time out.

Note that a BIND nameserver only forwards a query if it can't find the answer
in its cache or authoritative data. So if you want your internal clients to
have a *full* view of your domain(s), including both internal and external
entries, then you need to maintain the external entries in both the internal
and external versions of those domains -- the internal nameservers won't "fail
over" to forwarding if they don't find the name in their authoritative zone(s);
they'll respond that the name doesn't exist, since they consider themselves to
have full knowledge of those zone(s).

- Kevin

Patrick W. Rateliff wrote:

> Currently we have 2 dns servers, 1 external for out class C and then a
> internal that is supposed to handle our all our private ip addresses.
> These DNS servers are currently running on NT boxes and they are starting to
> give me some trouble.
> I want to move all the DNS servers to seperate boxes running Linux or a BSD.
> That being said, I am trying to figure out a setup scheme.
> Would I make the internal the master for the internal sites and then slave a
> couple other dns servers at various locations to that for our internal
> sites.
> Would I then have a external Master with a backup and then have the
> forwarding setup from internal to external.
> Just need some advice here.  I have the o'reilly book and reading thru it,
> and any other bit of information I can find, but I need to have this setup
> and working by friday, and it's all fairly new to me.
> Thanks.

More information about the bind-users mailing list