Split Namespace question.

[Barry Margolin]

In article <9s6la3$104 at pub3.rc.vix.com>,
Cinense, Mark <macinen at sandia.gov> wrote:
>
>I will be using Bind9, and would like to implement a split namespace on the
>current environment.  In reading the DNS & Bind 4th edition, it talks about
>a bastion host.  In my environment, I have internal and external
>nameservers, but no bastion host.  In order to do a split namespace is a
>bastion host required?  If not, how could I do this with only internal and

The book is assuming you only have one server host, which is the bastion
host, and explains how to use the "views" mechanism to implement split
DNS.  If you have separate servers then you don't have to do anything special.

>external nameservers, and how does the zonefiles work, will I need to create
>a separate zonefile for internal and external zones.  One other question is

Yes, the internal server will have the internal zones, and the external
server will have the external zones.  If a name should be usable from both
internal and external clients (e.g. www.<domain>) you'll have to put it in
both zones files.

>how does the nameserver know what information do give and to whom, I know
>you setup ACL's, but how does that work.

The internal nameserver should not be mentioned in delegation records, so
the rest of the Internet won't know about it.  It should be put in the
resolver configurations of all your internal client machines.

The internal nameserver should have allow-query option that only lists your
internal address blocks.  E.g. if your LAN uses 199.198.100.x, you would
use:

  allow-query { 199.198.100.0/24;};

-- 
Barry Margolin, barmar at genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.