Forwarding from Internal DNS server.

Kevin Darcy kcd at daimlerchrysler.com
Thu Feb 3 23:29:47 UTC 2000 

Jim Reid wrote:

> >>>>> ">" == union  <union at icon.co.za> writes:
>
>     >> With my original forwarding question, Would it help if I
>     >> upgrade my version of bind to 8.x.x and create a "view" to
>     >> forward on NXDOMAIN to my ISP's DNS, from my internal root
>     >> server???
>
> In a word, no. Firstly, BIND8 doesn't have views. This is planned for
> BIND9. Secondly, I doubt views will provide that functionality. IIUC,
> they are meant to provide different sets of IP addresses with
> different sets of resource records for some zone: ie different "views"
> of the zone. So with views, one name server could conceivably do split
> DNS for the same zone. Thirdly, a reply of NXDOMAIN usually means it's
> "game over" for the lookup: the name doesn't exist. Resolvers which
> use the search directive use NXDOMAIN answers to try the next domain
> name in the list, but this is not the same thing. One query is done
> for each of the domains that are tried.

Um, actually, the description of views seems to imply conditional
forwarding, both on the source IP address, and on whether the initial
response is NXDOMAIN or not.

> Fourthly, root servers don't
> forward. The root zone encompasses everything else in the name space,
> so where could such a name server forward queries?
>
> Usually people set up internal roots to expressly prevent the internet
> name space from being visible in their nets. So if you want to resolve
> internet names internally, you probably have to get rid of the
> internal root zone. Maybe when BIND9 comes out you might be able to
> set up a view of the root zone but I don't see the point. Either you
> have a root zone and isolate your name space from the Internet or you
> don't. Trying to make your name servers achieve something in between
> will be like trying to be only partly pregnant.

Yeah, trying to "merge" an internal root zone with the Internet root
sounds like a bad idea to me also.

On the more general topic of mixing internal and external data, however,
surely, Jim, it's acceptable to carefully override parts of the Internet
namespace with internal DNS data for consumption by internal clients
only, isn't it?

Now, if BIND would stop defining "hints" solely in terms of the
(one-and-only) root zone, maybe the "hints" functionality could be used
productively in *conjunction* with forwarding-to-the-Internet, and there
wouldn't be such a temptation to create internal/external root-zone
mish-moshes...


- Kevin

More information about the bind-users mailing list