BIND and DNSSEC
Sten Carlsen
stenc at s-carlsen.dk
Thu Nov 1 14:35:08 UTC 2012
On 01/11/12 12:26, Alan Clegg wrote:
> On Nov 1, 2012, at 7:14 AM, Kobus Bensch <kbensch at fullnet.co.uk> wrote:
>
>> Is that because split horizon doubles admin or because its bad all together?
>>
>> I have been using split horizon for many years now and found it very useful. Any thoughts from any on the list would be most welcomed.
> Crafted for a private reply, but being re-used here:
>
> There are places that views/split-horizon fit the model that has been put into place. It does, however, break the "one-question, one-answer" concept that was foundational for DNS.
>
> My recommendation is that for "internal" addressing, a separate zone be created that serves that address space. You gain a number of things from this, including easier debugging and better data security (no-longer are you concerned about exactly what clients are seeing at "www.internal.example.com" since you know that the only people able to resolve/route "internal.example.com" are the ones that should be able to).
I believe that thinking is no longer valid with laptops moving around. I
assume you don't have enough public addresses to give everything its own
address, I don't, my servers work through a NAT. They are behind NAT
partly for lack of IPs and partly because I want to keep their other
ports away from accidental exposure to script kiddies, I know more
concerted efforts will do more harm.
The typical server setup (for own servers) is that one name is used for
setting up e.g. the mail server, the ideal situation for everybody is
that whether I am in house or visiting you, if I have any internet
access, I can read and send mail.
Now if there is an internal zone with a different name, how will you set
up the mail client? internal name is not accessible from outside and
external name is not present in internal name space. -> two mail
clients? changing setups when moving between networks?
My solution is to have the exactly same names internally and externally,
any client SW will just ask for the same server but the IP will differ
with the network segment.
IPv6 will change all that of course.
> The problem lies in that over the years, people (usually the higher-ups) have been trained (by us, the in-the-trench guys) that "www.example.com" can be one thing internally and something else externally, or that their printer really _should_ be named myprinter.example.com and not myprinter.internal.example.com.
>
> All the best,
> AlanC
--
Best regards
Sten Carlsen
No improvements come from shouting:
"MALE BOVINE MANURE!!!"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20121101/2619c77d/attachment.html>
More information about the bind-users
mailing list