DNS Servers Setup
Kevin Darcy
kcd at daimlerchrysler.com
Tue May 3 01:38:16 UTC 2005
No_Spam wrote:
>How do I setup 2 DNS servers in my network? One should serve the public
>requests (mail, www, etc.) and one for internal network?
>
That's a fairly common requirement.
>I have one
>already setup serving both public and private, but I want to change
>that and split them into either 2 servers, or 2 NICs.
>
Another option you may not be aware of is to run a single nameserver
instance and configure separate "view"s, which are differentiated by the
client source address of any given query -- show the "internal" view to
your internal clients, and the "external" view to everyone else. This
saves you having to provision another machine, or to maintain either
another NIC or a virtual interface on an existing NIC. If you insist on
running multiple nameserver instances on the same box, you can get them
to listen on different interfaces/addresses via named.conf's "listen-on"
option.
>What do I do with the current forward zone I have?
>
"Forward zone" is a little ambiguous in BIND/DNS terms. Do you mean a) a
master zone which is not a reverse zone ("forward" == opposite of
"reverse") or b) a zone of type "forward" (presumably forwarding to your
ISPs nameservers)?
If you want to serve a master zone authoritatively to the world, then
put it in your "external" view/instance/box. If the internal version of
that zone is the same as the external, then there's really nothing more
you need to do, since the one view/instance/box will just find the other
one and get authoritative data from it just like any other nameserver
(you could consider micro-optimizing this by making the internal
view/instance/box forward/stub/slave from the external view/instance/box
so that it never has to follow the delegations down from higher levels
of the hierarchy). If, on the other hand, you want to populate the
internal version of the zone with data that is hidden from the outside
world (i.e. the external version is a so-called "shadow namespace"), or
if names on either side of a NAT need to resolve differently internally
than they do externally, then you'll have to maintain two different
versions of the zone in the respective internal/external
views/instance/boxes. Depending on your setup/situation, you might be
able to share an $INCLUDE file between them in order to cut down on the
maintenance overhead.
If by "forward zone" above you mean a zone of "type forward", I would
first question why you are forwarding in the first place. You are
probably better off just resolving things yourself than forwarding to
your ISP's nameserver(s). Once you split things up into internal and
external, one thing you want to avoid is *multi-level*forwarding*, i.e.
having one box/instance/view forwarding to another box/instance/view,
which then forwards to your ISP's nameservers. Multi-level forwarding is
a whole order of magnitude uglier even than single-level forwarding...
- Kevin
More information about the bind-users
mailing list