Resticting info in zone transfers

Kelly Scroggins kelly at cliffhanger.com
Fri Jul 7 12:18:29 UTC 2000 

Quoting Kevin Darcy <kcd at daimlerchrysler.com>:
   
   Kelly Scroggins wrote:
   
<snip>   

   > Is it possible to allow the zone transfers and restrict what RRs are
   > transferred?
   
   No, BIND has no such feature. The normal solution is to set up a
   "split" DNS, where you have external and internal versions of your zone(s).
   Your ISP would just slave the external version(s). Unfortunately, this
   approach requires maintaining the external names in two places.

If I understand you correctly, this would mean
setting up two primary servers, and only allowing
zone transfers of the 'outside' servers - zone,
to/from the ISPs server.

Kind of a 'dummy' name server, a decoy?

   
   > Also,  I have my name servers running in (test mode) on my production
   > network right now.  Zone transfers are working between them just fine.
   > My ISPs name servers are still authoritative for my domain.
   >
   > But I can ping and telnet to devices on my internal network(s), surf the
   > web and all that stuff through my internal name servers.  But I CAN NOT
   > reach our domains web site, which is on a server OUTSIDE of our network
   > (somewhere).
   >
   > It's probably really simple but I don't understand why I can surf/ping
   > all other domains in the world but not my own.  Can someone shed some
   > light on this for me too?
   
   You say you are doing zone transfers *between* your internal nameservers.
   This implies that you have set up one of them as a master for your domain.
   Does that master file contain an entry for your external web site? With a
   normal split DNS, the internal version of the zone needs to be a *superset*
   of the external version, if the clients are to have a complete view of that
   namespace.
   
Yes I do have a master setup right now.  but only
a couple of workstations are using them as name
servers at the moment.

I will add the web site to the zone file.

However, I feel it may be more than that.  Forgive
me for not including this info in the original
post.  But in addition to not being able to load
the company web site (www.domain.com) in a web
browser, I can not send mail to any internal
(company) address.  i.e.: myname at domain.com .

All messages sent - bounce back.  I have entered
an MX record in the zone for our email server.
It's an Exchange server by the way.  And the
machine I am trying to send email from is a Linux
box.  The NT box sends mail just fine, and it's
using my 'test' name servers to surf the web too.
Maybe it has something to do with the Linux box
NOT being in the NT domain?

Thanks,
kelly

   - Kevin

More information about the bind-users mailing list