2 Questions - forward zone and DNS firewalling

N6Ghost n6ghost at gmail.com
Fri Oct 26 16:46:35 UTC 2018 

On Fri, 26 Oct 2018 10:40:40 -0400
Bob Harold <rharolde at umich.edu> wrote:

> On Thu, Oct 25, 2018 at 4:34 PM N6Ghost <n6ghost at gmail.com> wrote:
> 
> > Hi All,
> >
> > have two questions first, I am not a huge fan of using forwarding
> > zones and our "load balancing" team, has there zone delegated to
> > them in a way that needs an internal forward zone to work properly
> > on the inside and not rely on on internet POP.
> >
> > I want to move a core namespace to the load balancer but i want
> > them to let me assign them a new zone thats internally
> > authoritative and use it as the LB domain.
> >
> > which would be:
> > cname name.domain.com -> newname.newzone.domain.com
> >
> > they want:
> > cname name.domain.com -> newname.oldzone.domain.com
> >
> > old zone is directly delagated from outside to them so we need an
> > internal forward zone for it. i dont want to rely on that.
> >
> > any thoughts on this? what can i use to present to management to win
> > this?
> >  
> 
> The users should never see the domain that the CNAME points at, it is
> just an internal name used by DNS.  If they can change where "
> newname.oldzone.domain.com" points more easily than "
> newname.newzone.domain.com" then they might have a valid reason to
> want it.  Otherwise, newname.newzone.domain.com will be a faster and
> more reliable choice.

I agree with this, basically the deal is we have a parent who owns our
primary DNS zone which we hang off of. there DNS NS is outside of our
network. so, all of our zones are delegated to us. (we have a pretty
big DNS infrastructure) and we then create our own namespaces, zones
whatever we need. we have our own public and internal NS. 

My issue with the load balancer is they went around that and had the
parent delegate to them... and had us, create forward to them. to
prevent lookups from relying on need to always go to parent. 

if we where authoritative no outside lookup would be needed.  

I think thats a bad way to do it. and I want to avoid, having our
critical namespaces (ldap and ldaps) use it like that. 


> 
> Definitely avoid forwarding when possible.  It causes slower lookups
> and more points of failure.  (There will occasional be times when it
> has some advantage, or requirement.)
>

More information about the bind-users mailing list