Internal roots and Internet access ?
Seifert, Reinhold (EDP Sys.)
Seifert at seeg.sharp-eu.com
Thu Mar 21 03:15:48 UTC 2002
Hi all,
I'm sure this has been asked several times (therefore I apologize), but
still
I have no clue whatsoever how to solve my DNS problem I describe below,
even though I looked through the list archive ... therefore I ask.
Background:
Currently, we have a proxying firewall. None of the internal clients and
nameservers
have direct Internet access. In our headquarter we have two internal *root*
name servers
which delegate directly from root to "ourdomain.com." Two other boxes run
the master
and slave DNS for "ourdomain.com".
Other (also internal) offsite locations connected via LAN/WAN to the
headquarter run
their own DNS for the corresponding subdomain, e.g. "xyz.ourdomain.com", as
master.
For redundancy reasons the name servers in the headquarter are slaves for
those
subdomains. All internal name servers use a "db.cache" root hint that points
at the
headquarter's internal root name servers.
Now we are going to replace our proxying firewall by packet-filtering
firewalls.
This introduces the need that at least part of the internal clients will be
able to
resolve Internet names.
That is the point where I'm stuck. Is it possible to keep the "internal
roots" concept ?
I have read anything between "Nope, now way" and "Yes, but tricky".
The main reason I am asking is because I have almost no control over the DNS
at the
offsite locations. If at all possible I would like to avoid to change the
various DNS
(NT/W2k DNS, Novell, BIND 4.8, 4.9, 8.x ..) setups over there.
Any help/comments/hints is very much appreciated.
Thanks,
-Reinhold
More information about the bind-users
mailing list