Split-dns and forwarding
Bill Myers
wmyers at tns-inc.com
Fri Dec 3 06:11:32 UTC 1999
Mark,
Are you saying stub will cause iterative resolution for a domain, even if
global forwarding is used (to a DMZ server for Internet resolution)?
Thanks,
Bill
-----Original Message-----
From: marka at isc.org [mailto:marka at isc.org]On Behalf Of
Mark_Andrews at iengines.com
Sent: Thursday, December 02, 1999 8:48 PM
To: Bill Myers
Cc: Bind-Users
Subject: Re: Split-dns and forwarding
zone "internal.root" {
type {master|slave|stub};
masters { <IPADDRESSLIST> }; // for slave / stub
forwarders { /* empty */ };
};
e.g.
zone "tns-inc.com" {
type stub;
masters { 10.0.0.1; };
forwarders { /* empty */ };
};
Mark
>
> I have an unusual security policy that permits direct connection through a
> stateful inspection firewall for web access, but does not permit direct DNS
> connection from internal DNS servers to the Internet. Therefore, browsers
must
> resolve Internet and internal names.
>
> This is a large network with internal root servers and domain delegation.
>
> The only BIND 8.2.x configuration I can envision uses global forwarding to a
> DMZ DNS; and "forward" zone type for the internal domains, referencing an
> internal server that does not forward. This seems rather ugly.
>
> With Cisco Network Registrar, "resolution exception" configured for inside
> domains enables iterative resolution; and global forwarding to a DMZ server
> can be used.
>
> Am I missing something on the BIND 8.2.x option? Perhaps the "forward"
> zone-type causes the server's resolver to operate iteratively? Or, does the
> "forward" zone-type operate like global forwarding, without iteration?
>
> Thanks,
>
> Bill Myers
> Total Network Solutions
> Email wmyers at tns-inc.com
>
--
Mark Andrews, Internet Engines Inc. / Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at iengines.com
More information about the bind-users
mailing list