Split-dns and forwarding
Bill Myers
wmyers at tns-inc.com
Fri Dec 3 01:16:38 UTC 1999
I have an unusual security policy that permits direct connection through a
stateful inspection firewall for web access, but does not permit direct DNS
connection from internal DNS servers to the Internet. Therefore, browsers must
resolve Internet and internal names.
This is a large network with internal root servers and domain delegation.
The only BIND 8.2.x configuration I can envision uses global forwarding to a
DMZ DNS; and "forward" zone type for the internal domains, referencing an
internal server that does not forward. This seems rather ugly.
With Cisco Network Registrar, "resolution exception" configured for inside
domains enables iterative resolution; and global forwarding to a DMZ server
can be used.
Am I missing something on the BIND 8.2.x option? Perhaps the "forward"
zone-type causes the server's resolver to operate iteratively? Or, does the
"forward" zone-type operate like global forwarding, without iteration?
Thanks,
Bill Myers
Total Network Solutions
Email wmyers at tns-inc.com
-- Binary/unsupported file stripped by Listar --
-- Type: text/x-vcard
-- File: Bill Myers.vcf
More information about the bind-users
mailing list