stoopid question - split dns
Kevin Darcy
kcd at daimlerchrysler.com
Mon Jul 31 20:17:44 UTC 2000
Kelly Scroggins wrote:
> Quoting Kevin Darcy <kcd at daimlerchrysler.com>:
>
> Kelly Scroggins wrote:
>
> > I'm sorry for the basic question but I'm a little confused.
> >
> > system : Red Hat 6.1
> > bind : bind 8.2 ....
> >
> > I have the 'outside' name server (with the limited database) set up as a
> > slave and it is not allowed to transfer data from the master. Because I
> > don't want the entire world to see the internal network information.
> > According to the logs (/var/log/messages), all zone files are loading
> > without errors.
> >
> > When setting up a split dns ... does the name server on the 'outside'
> > (that's the one with the limited database) have to be the master? Can
> > it be the slave?
> >
> > If it's the slave, then the zone info would expire? And if it expires,
> > are the db files deleted from the system?
> >
> > What have I mis-understood?
>
> The db files aren't deleted, but the server will stop answering
> authoritatively when the zone expires. This can conceivably cause problems
> with other nameservers.
>
> What do you hope to achieve by defining it as a slave instead of a master?
> A master file is where you maintain original zone data. That's what you're
> doing here, presumably, so why not just say what you mean?
>
> I did say what I meant. ?
>
> How can I expain this to you?
>
> I do not want all of my internal information to be
> seen by the entire world (Internet).
Okay. So the internal DNS is off-limits to external clients.
> I only want certain devices to be seen be the
> entire world (Internet).
Okay. So the external DNS only contains a subset of the internal DNS, i.e. is a
so-called "shadow" namespace.
> As I understand it, this is called split dns.
Right. Two different versions of DNS -- an internal and an external. Each
version has a master and some number of slaves.
> And I have concluded that the master server can
> not be the server with the database that does not
> have the full zone information in it. i.e., the
> server that's seen by the entire world (Internet).
This is where you go astray. There isn't just "the master". Each DNS -- internal
and external -- has a *separate* master.
> I am asking this list if my understanding is
> correct. I am asking for guidance. I am new to
> this whole thing so please be patient with me.
>
> I have three servers. One is the master and the
> other two are the slaves.
You need 2 master *instances*. These could run on the same multi-homed machine,
if you want. For redundancy, you should also have at least 1 slave *instance*
for each DNS. These too could run as separate instances on a multi-homed
machine. Or, you could dedicate machines to any of these functions. So you're
looking at 4 instances at a minimum, running on anywhere from 2 to 4 machines.
> One of the slaves is transfering zone info with
> our ISP. So that (slave) server CANNOT have a full copy
> of my zone info in it's database because I DO NOT
> want all of my internal zone information to be
> seen by the entire world (Internet).
Oh, you mean your ISP is a slave for the external version of your domain? Is
that included in the "three servers" you enumerate above, or is it separate?
Regardless, you still need 2 masters -- an internal and an external.
- Kevin
More information about the bind-users
mailing list