Distributing DNS servers

Barry Margolin barmar at bbnplanet.com
Sat Aug 28 00:02:05 UTC 1999 

In article <Pine.BSF.4.01.9908271847340.23631-100000 at phoenix.aye.net>,
Barrett Richardson  <barrett at phoenix.aye.net> wrote:
>Hmm. There is only on exit point to the Internet on this particular
>network. They have exhausted their address space and have resorted
>to using some IP's in the 172.16 - 172.xx range. Some segments are
>on these IP's, some on registered IP's. What I was thinking of was
>haveing multiple a.b.c.d's, (the authorative primary) potentially
>on the 172.xx networks as well. With a single entry point into the network
>the border router (actually the firewall just behind it) will have no way
>of knowing which a.b.c.d to send a packet too. I guess I need to have
>unique sources inside the firewall that all the other nameservers
>behind the firewall forward requests for hosts outside the domain to.

All the a.b.c.d's should be equivalent, so it doesn't matter which a.b.c.d
they send the packet to, does it?

>Another problem is that most of the users are using a.b.c.d for the
>nameserver in their clients -- which is the authorative primary.
>Some of their webservers in the future will be placed on 172.xx
>addresses -- but for queries that come from the internet, the
>nameserver needs to dole out an address for a registered IP (
>the firewall will deal with connectivity to it). So I need to
>put a.b.c.d on the DMZ so the firewall and it needs to have
>different info about the state.ky.us domain than the internal
>a.b.c.d nameservers. Management doesn't want a large user base
>with limited skills mucking around with the network configuration
>on their workstations, and I want to avoid changing the authorative
>primary (as far as the internet is concerned) if possible.

It sounds like you need to configure your routing protocol so that internal
users don't get routed to the external a.b.c.d, and vice versa.

>How about when queries originate from the internal nameservers?
>If a.b.c.d is on a loopback, the ethernet is on x.x.x.x, a request
>being sent out has source of x.x.x.x, right? 

Right.  You can use the "query-source" option to specify a particular
source address that is forced on queries that named sends out.

As I mentioned, we've been using a similar configuration (except we don't
have the firewall complication that you have) for several months and it
works like a charm.

-- 
Barry Margolin, barmar at bbnplanet.com
GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

More information about the bind-users mailing list