DNS best practice - server placement
Kevin Darcy
kcd at chrysler.com
Fri Jul 25 01:22:31 UTC 2008
Barry Margolin wrote:
> In article <g6af6u$2qvn$1 at sf1.isc.org>,
> paleale at sonic.net (Alan Strassberg) wrote:
>
>
>> What's preferrable -
>>
>> * An internal DNS server with forwarder statements to an upstream (ISP)
>> DNS for Internet resolution, or
>>
>> * An internal DNS server forwarding to a DMZ DNS server that does
>> the upstream query.
>>
>> Other than performance issues, it the internal + DMZ design "better"
>> or is this just adding latency and more points of failure?
>>
>> What's the best practice architecture for a large corporation?
>>
>> alan
>>
>
> Is "None of the above" an acceptable answer? What's wrong with
>
> * An internal DNS server that does normal iterative resolution from the
> roots.
>
From strictly a DNS architecture/operational standpoint, that's best,
but it's probably the *least* acceptable to the security/auditing
department of a large corporation. It means opening holes directly
between the internal network and Internet. The whole point of having a
DMZ is to avoid doing that.
I think a better question is: why is an *internal* server resolving
Internet names in the first place, either directly or indirectly? I
think most folks these days are going to a proxy model where the only
things that need resolution of the Internet names are the proxies. In
which case they can ask a DMZ nameserver, they don't need to talk to an
"internal" nameserver to get that resolution.
- Kevin
More information about the bind-users
mailing list