Private / public DNS coexistence
Kevin Darcy
kcd at daimlerchrysler.com
Fri Mar 3 02:26:49 UTC 2000
Olivier Kurzweg wrote:
> Hello,
> We are using a private DNS hierarchy, whose root is "priv." (instead of
> "com." or "org." for instance). Our site in London is in zone
> "london.priv.", and the one in Paris is in "paris.priv.". Paris is
> authoritative for zone "priv."
> Paris and London both access to the Internet through their own DMZ. A DNS
> cache on each DMZ resolves Internet-based names.
> We would like to have the following behaviour for DNS:
>
> ---------- ------------
> DMZ ¦ ¦ DMZ ¦
> London ¦ ¦ Paris ¦
> ---------- ------------
> ^ ¦
> ¦ forward queries ¦
> ¦ if not inside "priv." ¦
> ------------ ------------ ------------
> LAN ¦ ¦ VPN ¦ ¦ LAN ¦
> London ¦--------->¦ ¦------->¦ Paris ¦
> ------------ ------------ ------------
> resolve (not forward !)
> if inside "priv."
>
> Is there any possibility to obtain such a behaviour with bind? If we use a
> forward for "priv." addresses instead(zone type forward), the server at
> Paris will have to replicate the zones of all our sites.
You could just forward "paris.priv" instead.
But I think an even better solution would be to make the London server a
slave for "priv" (if it isn't already) and then use the "forwarders
{}" syntax to cancel forwarding for "priv" and all zones beneath it. If you
just forward "paris.priv", then you'll be sending recursive queries all of
the time, but by cancelling forwarding, you'll be using iterative queries,
caching referrals, and generally optimizing your traffic patterns.
- Kevin
More information about the bind-users
mailing list