FW: split DNS
kcd at daimlerchrysler.com
Wed Jun 26 23:42:35 UTC 2002
Armin Safarians wrote:
> I have a general split DNS question.
> I have 3 levels of dns servers.
> level1 - external facing, public
> level2 - DMZ only DNS
> level3 - internal.
> level 1 answeres queries of internet. DMZ will only
> know about the dmz servers and very few of internal
> that the dmz needs to talk to. and level3 ofcourse is
> the internal corporate servers. Today I forward all
> unknown queries from level3 to level2 and from level2
> to level1. so a yahoo.com lookup from the internal will
> travel through level2 and then to level1 and then the
> root servers.
> I am thinking about changing this to allow level1 to
> only answere public queries and the internal to
> forward to level2 and then out to the internet.
> Please explain to me if this is a bad practice. I can
> only find documentation on 2 tier split dns, not three.
Given your 3-tier structure, what you suggest is I think a good idea. It allows you to turn off recursion for the Level 1 servers completely, which means less chance of _accidentally_ allowing recursion to the wrong clients, and a smaller memory footprint for those servers (since they'll have nothing to cache). By eliminating the extra forwarding "hop" from Level 2 to Level 1, you'll probably enhance performance also.
More information about the bind-users