BIND 8 with forwarding and sub-domains under a split-dns

[Kevin Darcy]

This should work as long as your head-domain-server  is a slave for all of
those subdomains. If a server is authoritative for a zone, it won't forward
queries for anything in that zone. It might also work to define all of the
subdomains as "stub" zones to the head-domain-server, although I must admit
I have not seen stub zones used in actual practice. If the subdomain is rarely
queried from other servers and/or changes frequently, then in theory a stub
zone should save you some zone-transfer overhead, compared to being a
full-blown slave.

Note that if you set things up this way, you basically defeat the whole
delegation/referral mechanism and thus forfeit the optimizations and improved
redundancy associated with it. If your internal nodes don't really need
visibility of Internet names, e.g. all of your firewalls are proxy firewalls,
an internal-root architecture might make more sense than the forwarding
hierarchy you are architecting.


- Kevin
Christian Schneider wrote:

> Hi DNS-experts,
>
> I'm currently in the need for planning some kind of split-DNS structure with
> the following (note: everything described here exists only in theory, its
> not a working implementation; but I would like it to become one....):
>
>     * internal private name-server at our HQ holding the head-domain
>
>     * shadowed public name-server (same domain) on the public Internet with
> only a few public RRs
>
>     * internal (non-advertised) sub-domains which are delegated to other
> internal name servers at our local branches
>
>     + these "deeper" name servers holding the sub-domains use the
> forwarder-statement (with the slave-option) to get the connection to the
> private internal head-DNS-server for being able to also resolve queries for
> this head-domain and other sub-domains of it as well
>
>     + the private head-DNS-server has a forwarder (with the slave-statement)
> pointing to the public shadowed-DNS-server, which then uses its hints-file
> (chache.db) for resolving the whole Internet-namespace
>
> Ok, but now my scope of DNS ends, because I believe that the sub-domains
> will not work with the forwarders. Will the delegation of sub-domains work
> properly on the head-DNS-server, though it has a forwarder pointing to the
> public shadowed DNS ?? I think not. And that's the point...
>
> But since this implementation should be done under BIND 8, I cannot use the
> no-forward patch for BIND 4... and also I think that the possibility of
> 'per-zone forwarding' new in BIND 8 won't solve the problem either...
>
> So now I have no further ideas and my scope of DNS has reached its true
> end... Therefore my only hope is to ask the usenet-community on this
> topic... ;-)
>
> What do you think about it?
>
> Best regards and thanks in advance,
> Chris
>
> mail at christian-schneider.de