bind secure architecture.

Vincent Blondel vincent at xtra-net.org
Sun Aug 21 08:19:16 UTC 2005


many thanks, I will try this as soon as possible.


> Vincent Blondel wrote:
>
>>Hi,
>>
>>We are currently using Bind on one FreeBSD 4.10 server. This server is directly used by internal users and internet clients.
>>
>>We decided recently to set up a real DMZ in our IT architecture. This is now done and we are already using an http proxy. Time is now
>>to consider a complete new architecture for our Bind server.
>>
>>So I looked on the net for a complete secure and split ( internal , external ) architecture and have found that we coud mix next
>>features :
>>
>>- internal root
>>- split architecture could be done by the "VIEW" feature in BIND 9.x
>>
>>With such an architecture, we could complete configure all internal servers and subdomains for internal services and set up another
>>configuration ( usual www, smtp, dns ) for specific external services.
>>This configuration also involves that the internal root server has to forward the request on the net ( via our dmz gateway BIND
>> Server
>>)  for all domains we are not serving as SOA ( example google.com ).
>>
>>... and this is my specific problem, I don't immagine how I can configure this.
>>
>>So can somebody explain me how I can do it and/or eventually give me an example of configuration ???
>>
> No, don't try to mix root server with forwarding. Configure an
> "external" view on your internal nameserver, that forwards to the dmz
> gateway BIND server. Have the web proxy's address be the only thing that
> matches that view. If your web proxy is going to be handling internal as
> well as external HTTP requests, then you may have to define the apex of
> each domain you use internally as a "type stub". Optionally, if these
> zones have any subzones, add a "forwarders { };" to inhibit the
> forwarding of queries for any of their subzones. Basically, you're
> "overriding" forwarding selectively for those parts of the namespace, in
> this "external" view, and forcing the queries to be resolved internally.
>
> Skeletal example:
>
> view "external" {
>     match-clients { web.proxy.add.ress; };
>     forwarders { x.x.x.x; };
>     forward only;
>
>     zone "example.com" {
>        type stub;
>        file "external/example.com";
>        masters { y.y.y.y; }; /* my address */
>        forwarders { };
>     };
> };
>
> view "internal" {
>     match-clients { any; };
>
>     zone "." {
>        type master;
>        file "internal/root";
>     };
>
>     zone "example.com" {
>        type master;
>        file "internal/example.com";
>     };
> };
>
>
>
>
>
>
>
>                                                                   - Kevin
>
>
>
>



More information about the bind-users mailing list