Split-dns and forwarding

Mark.Andrews at iengines.com Mark.Andrews at iengines.com
Fri Dec 3 06:22:13 UTC 1999 

> Mark,
> 
> Are you saying stub will cause iterative resolution for a domain, even if
> global forwarding is used (to a DMZ server for Internet resolution)?

	The empty forwarders does that.  You need to be able to find the
	roots of the internal name spaces so you need to use one of stub/
	master/slave.
> 
> Thanks,
> Bill
> 
> -----Original Message-----
> From: marka at isc.org [mailto:marka at isc.org]On Behalf Of
> Mark_Andrews at iengines.com
> Sent: Thursday, December 02, 1999 8:48 PM
> To: Bill Myers
> Cc: Bind-Users
> Subject: Re: Split-dns and forwarding
> 
> 
> 
> 	zone "internal.root" {
> 		type {master|slave|stub};
> 		masters { <IPADDRESSLIST> }; // for slave / stub
> 		forwarders { /* empty */ };
> 	};
> 
> 	e.g.
> 
> 	zone "tns-inc.com" {
> 		type stub;
> 		masters { 10.0.0.1; };
> 		forwarders { /* empty */ };
> 	};
> 
> 	Mark
> 
> >
> > I have an unusual security policy that permits direct connection through a
> > stateful inspection firewall for web access, but does not permit direct DNS
> > connection from internal DNS servers to the Internet. Therefore, browsers
> must
> > resolve Internet and internal names.
> >
> > This is a large network with internal root servers and domain delegation.
> >
> > The only BIND 8.2.x configuration I can envision uses global forwarding to 
> a
> > DMZ DNS; and "forward" zone type for the internal domains, referencing an
> > internal server that does not forward. This seems rather ugly.
> >
> > With Cisco Network Registrar, "resolution exception" configured for inside
> > domains enables iterative resolution; and global forwarding to a DMZ server
> > can be used.
> >
> > Am I missing something on the BIND 8.2.x option?  Perhaps the "forward"
> > zone-type causes the server's resolver to operate iteratively?  Or, does th
> e
> > "forward" zone-type operate like global forwarding, without iteration?
> >
> > Thanks,
> >
> > Bill Myers
> > Total Network Solutions
> > Email wmyers at tns-inc.com
> >
> --
> Mark Andrews, Internet Engines Inc. / Internet Software Consortium
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at iengines.com
> 
> 
--
Mark Andrews, Internet Engines Inc. / Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at iengines.com

More information about the bind-users mailing list