minimal-responses yes; to prevent downstream MS DNS server following DNS delegations

Sven Emil Skretteberg at
Tue May 3 08:16:03 UTC 2011


A customer have a security policy based on a zoned network model which
deny DNS servers in the internal network zone to communicate directly
with DNS servers outside the internal network zone. Only exception is
the defined central DNS servers.

In the internal network zone we have internal MS DNS servers which
host the AD DNS zone, and also have a general forwarding to the
internal BIND DNS.
The internal BIND DNS servers host a few zones, and have a general
forwarding (forward only;) to the central BIND DNS servers.
The central BIND DNS servers are allowed to communicate with any DNS server.

My main goal is to prevent the internal MS DNS server from trying to
communicate with DNS servers outside the internal network zone
following delegations. Such communication will be dropped in
firewalls. Instead I want the internal MS DNS server to follow the
generic DNS forwarding configured. In my test-lab I have implemented
the following on the internal BIND DNS with promising results:

     options {
           minimal-responses yes;
           forward only;
           forwarders { <central BIND DNS>; };

Do you see (or have you experienced) problems with such a configuration?

Sven Emil

More information about the bind-users mailing list