Same zone, separate views, on different servers

[Kevin Darcy]

"Sasso, John IT" wrote:

> Say you have a domain xyz.com, and you want to configure two different
> nameservers to provide name records for the zone: one for non-public records
> just for the private network, and the other for public records accessible
> from Internet hosts.  The private nameserver must not be accessible from the
> 'net, although the public and private nameservers should be able to talk to
> each other so the public one can pass resolved Internet names to the private
> one (i.e. those that the private one requested), including names in xyz.com
> that are publicly accessible but the private nameserver is not authoritative
> for.
>
> Is such a configuration possible?  If so, could someone refer me to info on
> how to do this.  Thanks!

Sure, this is possible. You just set up the internal nameserver to forward to
the external one (put "forwarders" in the "option" statement, and set the
forwarding mode to "forward only").

You can even run two nameserver instances on different network interfaces of a
multi-homed, e.g. firewall box (using "listen-on", "pid-file", optionally with
separate "controls" and "logging" configs) or, with BIND 9, you can do it with
a single nameserver instance using the "view" mechanism, which differentiates
between clients.

All of these variations are FAQs. Search the archives for "forwarding", "split
DNS" and/or "view"

Note that if you run multiple nameserver instances on the same box, or a
single, multi-"view"-ed instance, there is really no point to using forwarding
at all. The "external" instance or view can be non-recursive (which is a good
thing from a security standpoint), and the "internal" instance can resolve from
the Internet directly -- without forwarding -- for the benefit of your internal
clients. The internal nameserver *must* use forwarding only if it is stuck
behind a firewall or some other network-access-limiting device.


- Kevin