Split Namespace question.

Cinense, Mark macinen at sandia.gov
Mon Nov 5 20:35:26 UTC 2001 

I get it now... so is it possible to, since I have a namserver on the
outside, and inside of my firewall to set up the outside nameserver with
defined views, and the internal nameservers with a single view?  Does this
make sense, I really do not care at this point of zonefile management at
this point, since my zonefiles are generated by another server from a
database anyway.

Mark

-----Original Message-----
From: Jozef Skvarcek [mailto:jozef at photonfield.net]
Sent: November 05, 2001 12:48 PM
To: comp-protocols-dns-bind at moderators.isc.org
Subject: Re: Split Namespace question.


On Mon, 5 Nov 2001, Barry Margolin wrote:

> In article <9s6la3$104 at pub3.rc.vix.com>,
> Cinense, Mark <macinen at sandia.gov> wrote:
> >


> >a bastion host.  In my environment, I have internal and external
> >nameservers, but no bastion host.  In order to do a split namespace is a
> >bastion host required?  If not, how could I do this with only internal
and
>
> The book is assuming you only have one server host, which is the bastion
> host, and explains how to use the "views" mechanism to implement split
> DNS.  If you have separate servers then you don't have to do anything
special.
>
> >external nameservers, and how does the zonefiles work, will I need to
create
> >a separate zonefile for internal and external zones.  One other question
is
>
> Yes, the internal server will have the internal zones, and the external
> server will have the external zones.  If a name should be usable from both
> internal and external clients (e.g. www.<domain>) you'll have to put it in
> both zones files.
>
> >how does the nameserver know what information do give and to whom, I know
> >you setup ACL's, but how does that work.
>
> The internal nameserver should not be mentioned in delegation records, so
> the rest of the Internet won't know about it.  It should be put in the
> resolver configurations of all your internal client machines.
>

Wait... If I understand the suggestion above clearly than you will have to
maintain two master servers (internal and external), using the old
fashioned split-zone functionality. However, that will most likely kill
the idea of the single point of administration. I think that better
solution would be setting up single, internal master. The master would
be configured for two views. The first view would serve your internal
clients and the second your external slave server. The external slave
would download only the external data that it would provide to your
external clients. Let me know if you would like more details.

As stated above, you don't need the bastion host. Configure your firewall
so that only the external slave can talk to the internal master - you will
probably need to do NAT of the internal IP of the internal master. Use
TSIG for extra secure zone downloads. Configure firewall so that the
internal master can connect to any of the third party external servers
since I assume the internal master to resolve any name for internal
clients. The external slave which I assume is authoritative for your
domain should preferably not perform the recursion. Instead, set up
caching external server for your company's external clients.

Jozef

More information about the bind-users mailing list