Unapproved AXFR?

Jim Reid jim at rfc1035.com
Tue Dec 14 19:49:08 UTC 1999 

>>>>> "Barry" == Barry Margolin <barmar at bbnplanet.com> writes:

    > From: Dave  Wreski <dave at nic.com>
    >    I had a question about split DNS, actually.  Is there
    > really much difference between configuring split DNS and
    > creating zones that are not resolvable from unauthorized
    > domains?

Yes.

    > Now that bind8 has allow-query, it seems less of an advantage...

This doesn't cut it for some cases. Read on...

    Barry> Most organizations don't want to have different zones.
    Barry> They want to use company.com internally and externally, but
    Barry> the external version will have a subset of the contents

Not always. Sometimes the internal and external name spaces for the
same domain are completely different. For instance the version of
bigcompany.com on the Internet has details of their public web
servers, mail relays, name servers and so on. The version of
bigcompany.com on their intranet contains info about the internal mail
relays and web servers, which may well be located behind firewalls so
that they cannot be reached from the outside. [The internal web
servers might contain company-confidential data, well away from the
public's eyes for example.] For these sorts of setups split DNS is the
only way to go. How else can you ensure that internal and external
users go to the right web server or mail relay? A similar thing goes
for reverse zones: the IP space bigcompany.com uses internally might
not be visible or routable on the Internet and vice versa.

You sometimes see these things with extranets too. Suppose bigcompany1
has a tie-up with bigcompany2. They have a controlled linkage of their
nets for the stuff that's in their joint venture. Both of these
companies might not want or be able to let the other see the whole of
their network. allow-query statements are unlikely to do the job here
either. Someone in bigcompany1 gets a REFUSED error from bigcompany2's
name servers because they're not in the IP space of the joint venture
instead of being pointed at bigcompany2's external web server or
whatever.

More information about the bind-users mailing list