FW: split DNS

Kevin Darcy kcd at daimlerchrysler.com
Wed Jun 26 23:42:35 UTC 2002

Armin Safarians wrote:

> I have a general split DNS question.
> I have 3 levels of dns servers.
> level1   -   external facing, public
> level2   -   DMZ only DNS
> level3   -   internal.
> level 1 answeres queries of internet. DMZ will only
> know about the dmz servers and very few of internal
> that the dmz needs to talk to. and level3 ofcourse is
> the internal  corporate servers. Today I forward all
> unknown queries from level3 to level2 and from level2
> to level1. so a yahoo.com lookup from the internal will
> travel through level2 and then to level1 and then the
> root servers.
> I am thinking about changing this to allow level1 to
> only  answere public queries and the internal to
> forward to level2 and then out to the internet.
> Please explain to me if this is a bad practice. I can
> only find documentation on 2 tier split dns, not three.

Given your 3-tier structure, what you suggest is I think a good idea. It allows you to turn off recursion for the Level 1 servers completely, which means less chance of _accidentally_ allowing recursion to the wrong clients, and a smaller memory footprint for those servers (since they'll have nothing to cache).  By eliminating the extra forwarding "hop" from Level 2 to Level 1, you'll probably enhance performance also.

                                                                                                                            - Kevin

More information about the bind-users mailing list