stoopid question - split dns

Kelly Scroggins kelly at cliffhanger.com
Mon Jul 31 21:01:56 UTC 2000 



Kevin Darcy wrote:
> 
> Kelly Scroggins wrote:
> 
> > Quoting Kevin Darcy <kcd at daimlerchrysler.com>:
> >
> >    Kelly Scroggins wrote:
> >
> >    > I'm sorry for the basic question but I'm a little confused.
> >    >
> >    > system : Red Hat 6.1
> >    > bind   : bind 8.2 ....
> >    >

[snip]

> >
> > I do not want all of my internal information to be
> > seen by the entire world (Internet).
> 
> Okay. So the internal DNS is off-limits to external clients.
> 
> > I only want certain devices to be seen be the
> > entire world (Internet).
> 
> Okay. So the external DNS only contains a subset of the internal DNS, i.e. is a
> so-called "shadow" namespace.
> 
> > As I understand it, this is called split dns.
> 
> Right. Two different versions of DNS -- an internal and an external. Each
> version has a master and some number of slaves.
> 
> > And I have concluded that the master server can
> > not be the server with the database that does not
> > have the full zone information in it.  i.e., the
> > server that's seen by the entire world (Internet).
> 
> This is where you go astray. There isn't just "the master". Each DNS -- internal
> and external -- has a *separate* master.

I'm sorry that I'm so bull headed.  I did not realize that I could have
two masters for the same zone.  I'm re-configuring my server now.

I am just getting a grasp on this whole concept. (as if you couldn't
tell.)


[snip]

> 
> You need 2 master *instances*. These could run on the same multi-homed machine,
> if you want. For redundancy, you should also have at least 1 slave *instance*
> for each DNS. These too could run as separate instances on a multi-homed
> machine. Or, you could dedicate machines to any of these functions. So you're
> looking at 4 instances at a minimum, running on anywhere from 2 to 4 machines.
> 
> > One of the slaves is transfering zone info with
> > our ISP.  So that (slave) server CANNOT have a full copy
> > of my zone info in it's database because I DO NOT
> > want all of my internal zone information to be
> > seen by the entire world (Internet).
> 
> Oh, you mean your ISP is a slave for the external version of your domain? 

Yes.  I plan to let my ISP be the registered name server (presence) on
the Internet, and slave from my name server.  Which will now be the
master of the outside zone, and will be have by a global (public)
address on the outside of the firewall (PIX).  The firewall will
'translate' the public address to the real private address the server
uses behind the firewall.

> Is
> that included in the "three servers" you enumerate above, or is it separate?

Seperate.

> Regardless, you still need 2 masters -- an internal and an external.
> 
> - Kevin

Again, I appologize for being so stubbor to accept this.  I'm really
worried about putting a mis-configured name server on the Ineternet to
interact with the rest of the world.

Thanks to all for your patients,
kelly

More information about the bind-users mailing list