Split DNS, Firewalls, Forewarders, etc
Kevin Darcy
kcd at daimlerchrysler.com
Thu Feb 3 20:41:49 UTC 2000
This problem can be dealt with fairly elegantly by some of the newer features
of BIND. My answer to the original poster was:
> Just set global forwarding on the internal servers, and
> make sure that all of them are master/slave/stub/forward for, at the very
> least, the top-level zone of each internal domain, specifying "forwarders {};"
> in each of the master/slave/stub zone definitions in order to disable
> forwarding for any subzones of those zones.
>
- Kevin
Nicholas Lee wrote:
> "Kevin Darcy" <kcd at daimlerchrysler.com> wrote in message
> news:3899DA09.5400D9A at daimlerchrysler.com...
> > No, "forwarders only" is a little bit of a misnomer: a server won't
> forward if
> > it's authoritative for the answer or the answer is in its cache.
> >
>
> Although one issue worth noting I've discover is given at
> http://www.greatcircle.com/firewalls-book/errata.html (Page 286-294).
>
> The internal DNS server is not authoritative for internal sub-domains its
> delegated, and the external DNS probably doesn't know about the sub-domain
> delegations.
>
> I wonder if something like "forwarders only unless delagated subdomain;"
> wouldn't work for that situation.
>
> Nicholas
More information about the bind-users
mailing list