stoopid question - split dns
dave.goldsmith at intelsat.int
dave.goldsmith at intelsat.int
Mon Jul 31 13:43:33 UTC 2000
Kelly,
You will need to have two seperate 'master' DNS servers and two or more
'slave' DNS servers.
The idea behind 'split dns' is that you have a set of officially registered
public DNS servers that contain the data for the hosts that the world needs
to know about (ie: web server, mail server, etc) and then a seperate set of
DNS servers that only your internal systems know about. These internal DNS
servers will contain all then information about your systems.
So for the public side, you would have at least 2 DNS servers registered
with InterNIC (ns1.yourcompany.com and ns2.yourcompany.com). One of them
would be the master which means that it is the authoritative server that
contains the actual DNS zone data files. The other DNS server would be a
slave and it will pull copies of the zone files from the master. The DNS
zone file held by this set of servers will only contain a minimal set of
information - that which the public needs to know.
For the private side, you would have at least 2 DNS servers (and these are
NOT registered with InterNIC - ns1.internal.yourcompany.com and
ns2.internal.yourcompany.com). One of these would be configured as the
master for the 'yourcompany.com' zone. It will contain all DNS information
for any of your hosts. This set of DNS servers is not officially know to
the world. Some portion of the Internet will learn about these internal DNS
servers whenever they make queries to public DNS servers so you should use a
firewall/packet filter to restrict access to your internal DNS servers. The
public world should be able to submit responses to your internal DNS servers
(if a request was made) BUT they should NT be able to submit queries (over
UDP port 53) or be able to do zone transfers (over TCP port 53).
R/S
Dave Goldsmith
-----Original Message-----
From: Kelly Scroggins [mailto:kelly at cliffhanger.com]
Sent: Friday, July 28, 2000 4:03 PM
To: BIND email list
Subject: stoopid question - split dns
I'm sorry for the basic question but I'm a little confused.
system : Red Hat 6.1
bind : bind 8.2 ....
I have the 'outside' name server (with the limited database) set up as a
slave and it is not allowed to transfer data from the master. Because I
don't want the entire world to see the internal network information.
According to the logs (/var/log/messages), all zone files are loading
without errors.
When setting up a split dns ... does the name server on the 'outside'
(that's the one with the limited database) have to be the master? Can
it be the slave?
If it's the slave, then the zone info would expire? And if it expires,
are the db files deleted from the system?
What have I mis-understood?
kelly
More information about the bind-users
mailing list