Newbie - config questions
Bryan Tonnet
batonnet at phase4.com.au
Wed Mar 1 00:10:26 UTC 2000
> Seems reasonable to me, as far as it goes. The interesting part,
> however, is how you set up the authority for the company domain.
> Both your internal BIND server and the primary at the ISP should
> be primaries for that, but with different zone contents.
I see. From what you say below, however, the internal BIND should
contain all known addresses (real or IP masqueraded), whilst the ISP has
only the subset of 'real' addresses?
> That's more of an administrative rather than technical issue.
> Personally, I prefer to have full control over my domain, so I would
> always make my own server the primary and have the ISP's servers as
> secondaries. But if it is more practical for you to have your zone
> files maintained by your ISP, that's ok too.
Hmmm. I wondered about this. Two things I don't understand.
If I make an internal machine the primary, and ask the ISP to secondary
the zone, how do I stop the 192.168.x.y addresses from being xfer-ed up
to the ISP.
Which machine would be my primary? An internal machine would be IP
masqueraded, and not accessible from the ISP's secondary BIND, and a
perimeter net machine might be more vulnerable to attack. Or am I being
too paranoid on this latter point?
> You have to duplicate your entire externally visible domain on your
> internal nameserver. If the internal nameserver is configured as
> authoritative for the domain then it will return NXDOMAIN for any
> name it cannot find in that domain. It will *never* forward queries
> for that zone to a forwarder.
Yes, that makes sense, I hadn't considered that. What I meant however,
was the domain by itself. e.g. nslookup company.com from outside
resolves to our gateway machine, but the same from internal gets an
immediate error. I've tried A and CNAME records to avail.
Thanks in advance
Bryan Tonnet
bryan at printman.com.au
More information about the bind-users
mailing list