Same zone, separate views, on different servers

Sasso, John IT JSasso at mvphealthcare.com
Mon Jul 15 14:57:46 UTC 2002 

I figured this much, but I was not certain (which is why I thought I'd ask
the experts).  The whole jist of my question was that I figured it would be
more secure to have the internal (private) nameserver behind one tier of the
firewall (not directly accessible from the Internet), and the Internet
(public) nameserver on another tier (which is accessible from the 'net).
Then if some host on the private net did a query for a name that was in our
public zone, the private nameserver would forward the query onto the public
nameserver.

So I guess my idea isn't quite feasible, eh?  I'll have to stick w/
separating and securing the zones w/ views, even if the nameserver is
exposed to the 'net (albeit behind a firewall, and only accessible via
TCP/UDP 53).  Granted, I would harden the nameserver on other ends as well,
not just BIND.

--john

-----Original Message-----
From: those who know me have no need of my name
[mailto:not-a-real-address at usa.net]
Sent: Monday, July 15, 2002 2:57 AM
To: comp-protocols-dns-bind at isc.org
Subject: Re: Same zone, separate views, on different servers



in comp.protocols.dns.bind i read:
>"Sasso, John IT" wrote:

>> Say you have a domain xyz.com, and you want to configure two different
>> nameservers to provide name records for the zone: one for non-public
records
>> just for the private network, and the other for public records accessible
>> from Internet hosts.  The private nameserver must not be accessible from
the
>> 'net, although the public and private nameservers should be able to talk
to
>> each other so the public one can pass resolved Internet names to the
private
>> one (i.e. those that the private one requested), including names in
xyz.com
>> that are publicly accessible but the private nameserver is not
authoritative
>> for.

>Sure, this is possible. 

no, the private server will be authoritative for xyz.com so it will never
forward requests to the public server.  at least not without using annoying
tricks (make each internal host it's own zone).

-- 
bringing you boring signatures for 17 years

More information about the bind-users mailing list