split-DNS environment: how do DMZ servers talk to internal servers?

phn at icke-reklam.ipsec.nu phn at icke-reklam.ipsec.nu
Mon Jan 28 19:48:21 UTC 2002


Mun <example at example.com> wrote:

> Hi all,

> My company is now using only one DNS namespace (company.com) for private
> and public servers. This is hosted in our public DMZ, so all servers
> (including firewall) and clients refer to this DNS server.

> I want to set up a split-DNS. For the internal namespace, I thought of
> using company.dom. I would then re-configure my internal servers and

using an different and non-existintg domain is usually unwize. Just 
think of mail-routing problems !


> clients to point to this internal DNS. The domain entry of these
> servers/clients will be changed to company.dom. This internal DNS will
> also host a secondary zone of the external namespace, and will forward
> Internet-bound queries (eg, www.cnn.com) to my external DNS server.

> Because servers in the public DMZ also need to talk to some private
> servers, is it wise, or feasible in the first place, to have the
> external DNS server hosts a secondary zone of the internal namespace,
> and restrict queries to this zone only from its own segment and the
> firewall?  [Does this defeat the purpose of a split DNS?] Or somehow
> re-directs queries for private servers IP addresses to the internal DNS?

A less complicated setup that is almost free is to have internal 
machines in "int.domain.com" , running in a separate subdomain.

Using bind-9 / views would permit running this int.domain.com for 
clients only, showing non or an empty int.domain.com for outsiders.


Other ideas are discusses in (chapter 11 ?) in "managing DNS & bind". If
you don't have it : run - don't walk to nearest bookstore.


> (Doing static NAT for these private servers would be the best method,
> but are there other methods besides NAT?)

> Appreciate any help from all out here. Thanks in advance.

If you do NAT, you also need to setup reverse ( in-addr.arpa) zone for
best performance. And that is only needed in your internal view.


> Mun



-- 
Peter Håkanson         
        IPSec  Sverige      (At the Riverside of Gothenburg, home of Volvo)
           Sorry about my e-mail address, but i'm trying to keep spam out.
	   Remove "icke-reklam" and it works.


More information about the bind-users mailing list