DNS Servers Setup

Kevin Darcy kcd at daimlerchrysler.com
Tue May 3 01:38:16 UTC 2005 

No_Spam wrote:

>How do I setup 2 DNS servers in my network? One should serve the public
>requests (mail, www, etc.) and one for internal network? 
>
That's a fairly common requirement.

>I have one
>already setup serving both public and private, but I want to change
>that and split them into either 2 servers, or 2 NICs. 
>
Another option you may not be aware of is to run a single nameserver 
instance and configure separate "view"s, which are differentiated by the 
client source address of any given query -- show the "internal" view to 
your internal clients, and the "external" view to everyone else. This 
saves you having to provision another machine, or to maintain either 
another NIC or a virtual interface on an existing NIC. If you insist on 
running multiple nameserver instances on the same box, you can get them 
to listen on different interfaces/addresses via named.conf's "listen-on" 
option.

>What do I do with the current forward zone I have?
>
"Forward zone" is a little ambiguous in BIND/DNS terms. Do you mean a) a 
master zone which is not a reverse zone ("forward" == opposite of 
"reverse") or b) a zone of type "forward" (presumably forwarding to your 
ISPs nameservers)?

If you want to serve a master zone authoritatively to the world, then 
put it in your "external" view/instance/box. If the internal version of 
that zone is the same as the external, then there's really nothing more 
you need to do, since the one view/instance/box will just find the other 
one and get authoritative data from it just like any other nameserver 
(you could consider micro-optimizing this by making the internal 
view/instance/box forward/stub/slave from the external view/instance/box 
so that it never has to follow the delegations down from higher levels 
of the hierarchy). If, on the other hand, you want to populate the 
internal version of the zone with data that is hidden from the outside 
world (i.e. the external version is a so-called "shadow namespace"), or 
if names on either side of a NAT need to resolve differently internally 
than they do externally, then you'll have to maintain two different 
versions of the zone in the respective internal/external 
views/instance/boxes. Depending on your setup/situation, you might be 
able to share an $INCLUDE file between them in order to cut down on the 
maintenance overhead.

If by "forward zone" above you mean a zone of "type forward", I would 
first question why you are forwarding in the first place. You are 
probably better off just resolving things yourself than forwarding to 
your ISP's nameserver(s). Once you split things up into internal and 
external, one thing you want to avoid is *multi-level*forwarding*, i.e. 
having one box/instance/view forwarding to another box/instance/view, 
which then forwards to your ISP's nameservers. Multi-level forwarding is 
a whole order of magnitude uglier even than single-level forwarding...

                                                                         
                                                   - Kevin

More information about the bind-users mailing list