Opinion wanted: DNS with firewall setup

Kevin Darcy kcd at daimlerchrysler.com
Thu Jan 18 00:23:41 UTC 2001 

Jozef Skvarcek wrote:

> On Tue, 16 Jan 2001, Kevin Darcy wrote:
>
> > Another thing to consider is whether you really want the data in your zones
> > to be as visible externally as it is internally. Now, maybe you have all of
> > your internal names sectioned off into subdomains that are not visible
> > externally. If so, congratulations! But if, as with most of us, your users
> > and/or management have nixed the idea of "ghettoizing" all of your internal
> > names into separate subdomains, and if you don't want all of that internal
> > stuff to be visible, then you have to implement so-called "split DNS" where
> > you have separate versions of at least some of your zones, versions which
> > are _either_ externally or internally visible. In your case, maybe you
>
> Most of the zones are static and should be visible to any client - not a
> problem with those. However, the zone for our main domain, say,
> `company.com' is "messed up" little bit. It contains both external and
> the internal records. It would be very diffucult at this point to put the
> internal records into some internal zone serving, say, `company.internal'
> domain. Yes, I am planning to use the split zone functionality provided
> by the `view' statement.

You don't have to use "view" in order to do split DNS of course. The
"classic" way is to have separate machines for the internal and external DNS.
Usually the external zone would contain a subset of the internal zone's data.
Later versions of BIND 8 provided the ability to run multiple instances of named
on a single multi-homed box, thus saving you from having to dedicate multiple
boxes to split DNS. BIND 9's "view" continues the evolution by allowing you to
do split DNS from a *single* instance on a single machine, assuming you can
reasonably distinguish "internal" from "external" clients by their source
addresses. But, however it's implemented, split DNS still requires that the
common data be maintained in multiple places (although in the multiple-instance
or "view" case, I suppose it would be possible to play $INCLUDE-file games to
reduce that maintenance burden).


- Kevin

More information about the bind-users mailing list