Split DNS for large organizations

Jim Reid jim at rfc1035.com
Wed Dec 15 21:49:18 UTC 1999 

>>>>> "Rainer" == Rainer Ginsberg <Rainer.Ginsberg at de.bosch.com> writes:

    Rainer> At the moment, only our firewalls know Internet DNS. In
    Rainer> the intranet, we have our own root name servers. But we
    Rainer> use the same domain names in the Internet and intranet.

    Rainer> We are now investigating the possibility of using split DNS.

Well, you're already doing split DNS because of your internal root
name servers.

    Rainer> My questions are: Will views be implemted in BIND? 

They are planned for BIND9 which is due out in April next year.

    Rainer> Or: Do other large organizations use split DNS with forwarders?

I'm sure there are some. It depends on how those large organisations
connect to the Internet, what their security policies are and so on.

If most/all hosts on your net don't need to resolve external names
internally, you don't need forwarding name servers. In fact there
would be no requirement to query internet name servers on most of the
internal net. Organisations which do this rely on proxy servers to
access the Internet. This can be good from a security point of view
because all external access has to go through these proxy servers and
relays - which can do internet DNS lookups - where it can presumably
be monitored and controlled. The problem of this approach is that some
applications are not well suited to proxying.

If your intranet does need to resolve Internet names and addresses,
forwarding still might not be necessary. Just allow all internal name
servers to speak DNS through your firewalls to any name servers on the
outside. This works, though may be too permissive for your network's
security people.

Forwarding is necessary when only a few name servers internally are
allowed to send and receive queries to/from the internet AND internal
hosts need to resolve external names. In this setup, most internal
name servers have to forward their queries to these "trusted" servers
who then lookup the names on the internet and forward the answers back
to the internal name server. This works too, but frankly it's ugly and
inelegant. First of all, lookups of internal names get forwarded to
these trusted servers too. [Per-zone forwarding in BIND8 alleviates
this a little.] This places unnecessary load on your network and on
those servers. Secondly, the operation of those trusted servers
becomes critical. If they stop or become unreachable, name resolution
on your net either stops or gets *very* slow because just about every
lookup on your net has to go to those systems. This creates a single
point of failure even if there are several trusted servers. It's for
this reason that forwarding is generally not a good idea for DNS on
big networks.

When forwarding is deployed on large intranets, there's a tendency to
end up with scenarios where server A forwards to server B which
forwards to...  These setups are usually undocumented too. [The system
admin at some factory stumbled on a name server configuration that
seemed to work and told all his/her friends about it.] Then someone
renumbers server D or switches off its name server and all of a sudden
the sky falls in because mail stops working or the DNS lookups in the
network operations centre take an eternity to resolve.

There are a few setups where forwarding is a necessary evil, but even
then, there are usually other options. My advice - it's worth what
you're paying for it! - is to avoid forwarding name servers if at all
possible. Why make one or two of your name servers do all the work
when each name server on your net is perfectly capable of doing the
job for itself? It's a bit like building an 8-lane autobahn, forcing
all the traffic into one lane and hoping that nobody ever breaks down
or runs out of fuel.

I'd guess that for a company as big as Bosch, introducing forwarding
name servers will be unlikely to bring many benefits. In fact, I
suspect they'd probably create a lot of headaches in configuring,
deploying and administering the DNS throughout the company. [Just
think of the cost and hassle of renumbering those trusted name
servers.] OTOH, you may have legacy applications which imply that some
form of forwarding might be necessary. Hopefully these would be an
exception rather than the general rule.

More information about the bind-users mailing list