hint file versus forwarded
Armin Safarians
armin.safarians at safeway.com
Thu May 9 22:56:53 UTC 2002
You are correct. The two level of DNS is still internal to our network. one is on
the LAN and one is DMZ.
It make sense why forwarders are the way to go here and then on the outside ones we
hint to the root server.
Thank you all.
AMS :-)
Barry Margolin wrote:
> In article <abes1e$b8e8$1 at isrv4.isc.org>,
> Kevin Darcy <kcd at daimlerchrysler.com> wrote:
> >
> >Armin Safarians wrote:
> >
> >> Hello all, I have a quick question for you all.
> >>
> >> We have two level of dns. internal and external. Today we forward any
> >> queries that is not known by the internal dns servers to the external
> >> dns servers and they point to the root servers with the hint file for
> >> internet queries.
> >>
> >> The question is how is that different/better/worst than having the hint
> >> file on the internal server point to the external dns.
> >> Hint file versus forwarders.
> >
> >When is forwarding *ever* desirable, when direct connectivity is
> >available? The same arguments against forwarding apply here as in any
> >other context. Search the archives for my previous diatribes against
> >forwarding.
>
> I don't think your response is appropriate, since it sounds like his
> internal servers don't have direct connectivity. The firewall only allows
> them to connect to the external servers.
>
> So the question is why not to put the external servers in the root hints
> file. The root hints file is only used as an initial hint about the root
> servers, not as the permanent list. One of the first things that named
> does is send a query to one of those servers, asking it for the current
> list of root servers. If you put your external servers in the hints file,
> the internal server will ask the external server for the root servers. The
> external server will reply with the *real* root server list, and the
> internal server will then replace the list from the hints file with this
> list. From then on, it won't be able to look up remote names, because the
> firewall will block connections to the root servers.
>
> --
> Barry Margolin, barmar at genuity.net
> Genuity, Woburn, MA
> *** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
> Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
--
*******
What you want to be eventually, you must be every day.
With practice, the quality of you deeds gets down to you soul.
- Frank Crane
*******
"WorldSecure Server <safeway.com>" made the following
annotations on 05/09/02 16:56:34
------------------------------------------------------------------------------
Warning:
All e-mail sent to this address will be received by the Safeway corporate e-mail system, and is subject to archival and review by someone other than the recipient. This e-mail may contain information proprietary to Safeway and is intended only for the use of the intended recipient(s). If the reader of this message is not the intended recipient(s), you are notified that you have received this message in error and that any review, dissemination, distribution or copying of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately.
==============================================================================
-- Binary/unsupported file stripped by Ecartis --
-- Type: text/x-vcard
-- File: armin.safarians.vcf
-- Desc: Card for Armin Safarians
More information about the bind-users
mailing list