DNS External/Internal Shadow Domains?

Joseph S D Yao jsdy at cospo.osis.gov
Fri Nov 12 20:42:58 UTC 1999 

On Thu, Nov 11, 1999 at 10:09:19PM -0700, Cricket Liu wrote:
> > Thanks to the new "de-forwarding" feature of BIND, the internal
> nameservers
> > could selectively use the internal roots for internal domains and forward
> for
> > everything else, thus reaping the rewards of both architectures, i.e. the
> > ability to resolve Internet names via forwarding, while at the same time
> > exploiting the robustness, adaptability and scalability of an
> internal-root
> > architecture for everything internal.
> 
> Yeah, I thought of that some time ago, back when the new forwarding
> features were spec'd, but it doesn't work.  When you try to set this up,
> you'll notice that in a configuration like this:
> 
> options {
>     forwarders { external.forwarder; };
> };
> 
> zone "internal.zone" {
>     type stub;
>     file "stub.internal.zone";
>     forwarders {};
> };
> 
> zone "." {
>     type hint;
>     file "internal.root.hints";
> };
> 
> ...your system query gets sent to your forwarder.  Since the forwarder
> sees the Internet name space, you get the Internet's root name servers
> in the response, and you ignore the contents of your root hints file.
> Consequently, you don't use your internal roots.
> 
> If you've found a way around this, I'd love to hear it.
> 
> cricket
> 
> Acme Byte & Wire
> cricket at acmebw.com
> www.acmebw.com
> 
> Attend the next Internet Software Consortium/Acme Byte & Wire
> DNS and BIND class!  See www.acmebw.com/training.htm for
> the schedule and to register for upcoming classes.

Kevin was talking about EXTERNAL zones, though, so it is perfectly
appropriate for the firewall to use the Internet roots!

But your approach may work, too.  You just have to take it one step
further.  I have done it a little differently:

zone "internal.zone" {
    type forward;
    forward only;
    forwarders { name.server.IP.address; ... };
};

I have not tried this, as you propose, with stub zones:

zone "internal.zone" {
    type stub;
    file "stub.internal.zone";
    forwarders { name.server.IP.address; ... };
};

-- 
Joe Yao				jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support					EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.

More information about the bind-users mailing list