Firewall, split dns and the forwarders directive
Joseph S D Yao
jsdy at cospo.osis.gov
Tue Jul 20 11:04:20 UTC 1999
Andr PIRARD ecrit:
> And if zardos forwards requests for names in fx.movie.edu zone to a
> forwardee that's neither authoritative for fx.movie.edu nor for
> movie.edu, the forwardee may well send the request back to zardos
> because zardos is authoritative for movie.edu.
> It's a mistake for a name server to make requests to servers that are
> "further away from the answer" than they are.
> It's not always possible to avoid such loops by configuration (to make
> the forwarder or forwardee authoritative for all subzones).
> BIND should not not forward requests for its subzones, at least at an
> option.
Andr, let me pose you a non-hypothetical question.
Zone movie.edu is behind a firewall. Thus its name server must forward
non-local DNS requests to the firewall to be resolved. The firewall is
not in our direct control, and is not used as a zone name server (only
as a cacheing name server).
Because of {work overload, political concerns, inertia, whatever}, the
domain fx.movie.edu is served by a separate name server within the
firewall.
Now, the order of operation is either {zone, forward} or {zone,
forward, lookup}, depending on whether the "forward only" option is on
or not. This is BY DEFINITION - a part of BIND, you can't change that
without breaking a good many things. But we never want to forward
requests for "fx.movie.edu" to the firewall. We always want to ask the
name server, which we KNOW [it's our subdomain, remember?].
Andr, WITHOUT forwarding requests for our subdomain, which is a zone on
a different server ... tell me how I may do this. Demonstrate.
Thank you.
--
Joe Yao jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.
More information about the bind-users
mailing list