Rev (Hidden Segment) Lookups in split environment
Thomas Duterme
thomas at madeforchina.com
Sat Mar 17 18:34:09 UTC 2001
Thank you for the helpful reply.
How about using bind's allow-recursion statement - > I allow
the internal clients to have access and shut everyone else
out. Would this effectively do the same thing and save the
hassle of running another instance of named?
Thanks,
Thomas
Kevin Darcy wrote:
>
> If you have recursion turned off, then resolvers can only get what's in
> your cache and authoritative data. Best practice is for your public
> nameserver to turn off recursion *completely* (options { recursion no;
> ...) so that there's no possibility of anyone external getting internal
> data out of your nameserver's cache. Of course, that means you can't use
> that public nameserver to resolve any internal names. Typically, one
> would therefore run a separate "private" instance of named to provide
> resolution of internal names.
>
> - Kevin
>
> Thomas Duterme wrote:
>
> > Hello everyone,
> >
> > I'm running a split DNS setup for my office. On the
> > external public IP nameservers, I want to map out the PTR
> > records for the internal private IP segment. Note, most of
> > those IP addresses are private IP, but I still don't want to
> > advertise the network topology to anyone outside the company
> > (keeping in line with my reasoning for a split IP
> > architecture).
> >
> > My current external servers restrict zone transfers and
> > recursive queries. Am I correct in thinking that foreign
> > resolvers pointed to my external nameservers will NOT be
> > able to lookup those PTR records?
> >
> > TIA,
> > Thomas
More information about the bind-users
mailing list