Split-dns and forwarding
Mark.Andrews at iengines.com
Mark.Andrews at iengines.com
Fri Dec 3 01:48:16 UTC 1999
zone "internal.root" {
type {master|slave|stub};
masters { <IPADDRESSLIST> }; // for slave / stub
forwarders { /* empty */ };
};
e.g.
zone "tns-inc.com" {
type stub;
masters { 10.0.0.1; };
forwarders { /* empty */ };
};
Mark
>
> I have an unusual security policy that permits direct connection through a
> stateful inspection firewall for web access, but does not permit direct DNS
> connection from internal DNS servers to the Internet. Therefore, browsers mus
> t
> resolve Internet and internal names.
>
> This is a large network with internal root servers and domain delegation.
>
> The only BIND 8.2.x configuration I can envision uses global forwarding to a
> DMZ DNS; and "forward" zone type for the internal domains, referencing an
> internal server that does not forward. This seems rather ugly.
>
> With Cisco Network Registrar, "resolution exception" configured for inside
> domains enables iterative resolution; and global forwarding to a DMZ server
> can be used.
>
> Am I missing something on the BIND 8.2.x option? Perhaps the "forward"
> zone-type causes the server's resolver to operate iteratively? Or, does the
> "forward" zone-type operate like global forwarding, without iteration?
>
> Thanks,
>
> Bill Myers
> Total Network Solutions
> Email wmyers at tns-inc.com
>
>
> -- Binary/unsupported file stripped by Listar --
> -- Type: text/x-vcard
> -- File: Bill Myers.vcf
>
>
>
--
Mark Andrews, Internet Engines Inc. / Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at iengines.com
More information about the bind-users
mailing list