Selective forwarding from an internal only name server

Darcy Kevin (FCA) kevin.darcy at fcagroup.com
Thu Aug 18 14:57:14 UTC 2016


Well, the cost/benefits/risks of separating authoritative and recursive on different *servers* (as opposed to different NICs, views, or whatever) is actually a hotly-debated topic among experts. I know some non-DNS-expert opinions, from the InfoSec side of the house, consider hardware-level separation "ideal", but frankly, I don't think they understand the concepts of NIC- or view-level separation, and need to be edumacated. Personally, I prefer a larger number of multi-role boxes, with view separation. The larger number of boxes means more availability and resilience against, say, Denial of Service attacks, which can target recursive service *or* authoritative service *or* both.

By the way, the original poster never said that he was hosting any zones authoritatively to the Internet on NS1, so why would you assume that he is? He said only that it served "external clients", but those could be *recursive* clients, for all we know.

That having been said, I concur with your technical recommendations.

									- Kevin



-----Original Message-----
From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of S Carr
Sent: Thursday, August 18, 2016 4:31 AM
To: BIND Users
Subject: Re: Selective forwarding from an internal only name server

On 18 August 2016 at 01:04, anup albal <anupalbal at hotmail.com> wrote:
> Does that mean I setup another forwarding zone called microsoft.com or 
> sharepoint.microsoft.com or both?

Ideally you should setup a completely separate caching/forwarding server and not be using the external DNS box (NS1) for this purpose.

On the box you are forwarding the queries to (NS1) you need to enable recursion and specify an ACL for recursion to limit it to only allowing recursion from the internal DNS1 box.

On the internal DNS box (DNS1) also make sure recursion is enabled and an ACL in place allowing your client subnets, and configure forward zones for sharepoint.com and microsoft.com zones (and any other zones needed by the sharepoint service) to point at the NS1 box.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


More information about the bind-users mailing list