Split Namespace question.

Jozef Skvarcek jozef at photonfield.net
Mon Nov 5 19:48:28 UTC 2001 

On Mon, 5 Nov 2001, Barry Margolin wrote:

> In article <9s6la3$104 at pub3.rc.vix.com>,
> Cinense, Mark <macinen at sandia.gov> wrote:
> >


> >a bastion host.  In my environment, I have internal and external
> >nameservers, but no bastion host.  In order to do a split namespace is a
> >bastion host required?  If not, how could I do this with only internal and
> 
> The book is assuming you only have one server host, which is the bastion
> host, and explains how to use the "views" mechanism to implement split
> DNS.  If you have separate servers then you don't have to do anything special.
> 
> >external nameservers, and how does the zonefiles work, will I need to create
> >a separate zonefile for internal and external zones.  One other question is
> 
> Yes, the internal server will have the internal zones, and the external
> server will have the external zones.  If a name should be usable from both
> internal and external clients (e.g. www.<domain>) you'll have to put it in
> both zones files.
> 
> >how does the nameserver know what information do give and to whom, I know
> >you setup ACL's, but how does that work.
> 
> The internal nameserver should not be mentioned in delegation records, so
> the rest of the Internet won't know about it.  It should be put in the
> resolver configurations of all your internal client machines.
> 

Wait... If I understand the suggestion above clearly than you will have to
maintain two master servers (internal and external), using the old
fashioned split-zone functionality. However, that will most likely kill
the idea of the single point of administration. I think that better
solution would be setting up single, internal master. The master would
be configured for two views. The first view would serve your internal
clients and the second your external slave server. The external slave
would download only the external data that it would provide to your
external clients. Let me know if you would like more details.

As stated above, you don't need the bastion host. Configure your firewall
so that only the external slave can talk to the internal master - you will
probably need to do NAT of the internal IP of the internal master. Use
TSIG for extra secure zone downloads. Configure firewall so that the
internal master can connect to any of the third party external servers
since I assume the internal master to resolve any name for internal
clients. The external slave which I assume is authoritative for your
domain should preferably not perform the recursion. Instead, set up
caching external server for your company's external clients.

Jozef

More information about the bind-users mailing list