Split DNS and FAQ

Razvan Bruma razvan at rartel.ro
Fri Apr 6 07:28:58 UTC 2001 

On Thu, 5 Apr 2001, Kevin Darcy wrote:

> Date: Thu, 05 Apr 2001 17:05:05 -0400
> From: Kevin Darcy <kcd at daimlerchrysler.com>
> To: bind-users at isc.org
> Subject: Re: Split DNS and FAQ
> 
> 
> Adam Lang wrote:
> 
> > I read this section in the FAQ:
> 
> Which FAQ?
> 
> > Question 5.22.  DNS in firewalled and private networks
> >
> > My question is in regards to this part:
> >
> > "Private DNS - resolves names from DOMAIN.COM for hosts inside the
> >   private network. If asked for a name outside DOMAIN.COM, they should
> >   forward the request to the public DNS (forwarders line should be used in
> >   the boot file).  They should NEVER contact a root DNS on the Internet."
> >
> > Why is this?  Is it just because you are assuming the public DS may have a
> > cached answer already and it will save query time and bandwidth?
> 
> I'm not sure why this FAQ would, at the same time, *universally* recommend
> forwarding as a way to resolve Internet names, and also state that one's
> nameserver should never contact an Internet root server. If, on the one hand,
> one's nameserver has full access to the Internet DNS, then it probably
> shouldn't be forwarding at all, but even if it does so for performance
> reasons, it should be forwarding in "forward first" mode, in which case it
> *may* contact an Internet root server (if the forwarders are down or
> unavailable). On the other hand, if one's nameserver lacks full access to the
> Internet DNS, it *must* forward in order to resolve Internet names, so the
> "should forward" is a moot point. (And the "should NEVER" is a moot point
> too, if the nameserver has no access to the Internet root servers).
> 
> My guess is that what this FAQ is *really* trying to say is: "if you use
> forwarding, don't forward to the Internet root servers", which is certainly a
> valid recommendation. If so, then they should reword it.
> 
> 
> - Kevin
> 
 
 
	I don't know what this FAQ is trying to say, but from what I
understand it describes something like that: 
	You have an internal network, using private IP addresses (10.0.0.0
or similar) and some internal DNS servers which are configured to answer
queries for foo.org. from all the machines in the inside and to forward
the queries for all the other domains to an external DNS outside the
firewall, which will have of course full access to the Internet and a
legitimate IP address. 
 	So, the internal DNS server will be configured
'forward-only'. This way, it will forward all queries for which it is not
authoritative to the external server.
	Regards,
	Razvan
 

---
Razvan Bruma
Unix System Administrator
email: razvan at rartel.ro

More information about the bind-users mailing list