split-DNS environment: how do DMZ servers talk to internal servers?
phn at icke-reklam.ipsec.nu
phn at icke-reklam.ipsec.nu
Mon Jan 28 19:48:21 UTC 2002
Mun <example at example.com> wrote:
> Hi all,
> My company is now using only one DNS namespace (company.com) for private
> and public servers. This is hosted in our public DMZ, so all servers
> (including firewall) and clients refer to this DNS server.
> I want to set up a split-DNS. For the internal namespace, I thought of
> using company.dom. I would then re-configure my internal servers and
using an different and non-existintg domain is usually unwize. Just
think of mail-routing problems !
> clients to point to this internal DNS. The domain entry of these
> servers/clients will be changed to company.dom. This internal DNS will
> also host a secondary zone of the external namespace, and will forward
> Internet-bound queries (eg, www.cnn.com) to my external DNS server.
> Because servers in the public DMZ also need to talk to some private
> servers, is it wise, or feasible in the first place, to have the
> external DNS server hosts a secondary zone of the internal namespace,
> and restrict queries to this zone only from its own segment and the
> firewall? [Does this defeat the purpose of a split DNS?] Or somehow
> re-directs queries for private servers IP addresses to the internal DNS?
A less complicated setup that is almost free is to have internal
machines in "int.domain.com" , running in a separate subdomain.
Using bind-9 / views would permit running this int.domain.com for
clients only, showing non or an empty int.domain.com for outsiders.
Other ideas are discusses in (chapter 11 ?) in "managing DNS & bind". If
you don't have it : run - don't walk to nearest bookstore.
> (Doing static NAT for these private servers would be the best method,
> but are there other methods besides NAT?)
> Appreciate any help from all out here. Thanks in advance.
If you do NAT, you also need to setup reverse ( in-addr.arpa) zone for
best performance. And that is only needed in your internal view.
> Mun
--
Peter Håkanson
IPSec Sverige (At the Riverside of Gothenburg, home of Volvo)
Sorry about my e-mail address, but i'm trying to keep spam out.
Remove "icke-reklam" and it works.
More information about the bind-users
mailing list