Split DNS questions

[Kevin Darcy]

jeff donovan wrote:

> greetings
>
> Currently I have a DNS system running BIND 8 on my external Network.
> This is my primary and master for my zones and it faces the Internet.
>
> I have created an Internal Network with private ip addresses. They
> can query the external dns system with no problem however I need to
> set up a local DNS for the Local servers. From what I have read I can
> set up and Internal master and an external master.
>
> (Please Correct me if I'm wrong)
>
> My internal Name Server will supply local forward and reverse of my
> private addresses  and my real addresses, and any other query shall
> be " forwarded " to the external server.
>
> This sounds to me like it should work however i have never set this
> up before. is there anything special i need to do on the external DNS
> server to accept forwarded queries from the internal?

It is recommended practice to disallow recursion for Internet clients,
thus only allowing them to resolve names in your authoritative zones.
This prevents Denial of Service attacks, certain forms of cache
"poisoning", not to mention plain old garden-variety moochers who just
rudely point their clients at your server. Forwarding, on the other
hand, requires recursion. So, if you want to use the same nameserver
instance for both serving your domains to the Internet, and also
forwarding queries of Internet names from your internal server, then
you'll want to turn on recursion *selectively* using the
"allow-recursion" option.

You could also consider having separate nameservers, separate nameserver
instances (running on different interfaces of a multi-homed machine), or
a single nameserver instance configured with "view"s, to serve the
different functions, i.e. recursive resolver versus authoritative
nameserver. Of course, if the internal DNS data is hosted on an
Internet-facing box, then there might be a slight security risk to that
(i.e. of leaking the internal DNS data), not to mention possibly a
bigger Single Point of Failure. You'll have to weigh the pros and cons.

> Can I have basically have a duplicate server with just the addition
> of the private Names and the forward statement?

Basically. But be aware that you're going to have to maintain parallel
versions of your internal zones on each server, with the internal
version of the zone being a superset of the external version. Forwarding
is granular only to the zone level, so if your internal server is
authoritative for, say, example.com, it will never query any other
nameserver for any name in example.com. This implies that all of your
external names will need to appear in the internal version of the zone
as well as all of the "private" names. One of the possible advantages of
hosting the internal and external on the same machine is that you could
potentially -- I've never actually tried this -- share the common data
between the internal and external versions of the zone via the
$INCLUDE mechanism. That might reduce the amount of maintenance
required.


- Kevin