need Setup info for 2 DNS servers

Kevin Darcy kcd at daimlerchrysler.com
Thu Jun 14 19:01:33 UTC 2001 

Jeff Donovan wrote:

> Greetings,
>
> I currently have a primary DNS server running fine. I am going to put
> in a firewall and Translate many of my client addresses.
>
> I've read in one of Kevins replies to a similar post, that I would
> need to place my "Master" dns inside the firewall, and a "Fake
> Master" outside the firewall. Then, all i would have to do is set the
> Master to do zone transfers to the Fake.

Sure, you can do a "hidden master" setup. The main point of that is that
most of your day-to-day maintenance is done on an internal box, which is
presumably more secure and easier to administer. But if you
add/delete/change zones, then you have to touch the "fake" master(s), or
write some sort of script to make them automatically know about the changes
and reconfigure themselves accordingly.

> Can someone show me this setup or guide me to a url or page in DNS
> bind that i can look at?

There's really no difference between a "hidden master" setup and a regular
master/slave setup except that you may choose to leave the real master out
of the SOA.MNAME and/or the NS records for the zone.

> second, is this the best method? Are there any other solutions (eg
> forwarders, cache server etc..)

As I said, hidden master is really just a way to provide administrative
convenience and security. But it isn't necessarily the solution to all of
your requirements. You said you're going to be implementing NAT. What if,
for example, you want to put some boxes on your extranet and have your
clients access those boxes NAT'ed using the same names that the public uses
to access them? Now you need the same name to resolve differently (NAT'ed
versus non-NAT'ed), depending on who is doing the asking. For that, you'd
need some form of "split DNS". Hidden master doesn't really help you with
that at all.

> here is What I'm looking at doing:
>
> (( iNet ))
>         |
>         |______{global access DNS}
>         |
> [firewall]
>         |
>         |
>         {Internal access DNS/mail}
>
> What I would like to do is have all of my clients query the internal
> server for dns and mail. The rest of the world would see the external
> box. But Im not sure how to configure these two machines to dance
> together.

Just set up the external box(es) as slave(s) to the internal one. If for
some reason your offsite slave can't get zone transfers directly from your
hidden master, then you could "chain" that slave off your "fake
master" slave, but that might slow down your change-propagation somewhat.

> Also I would guess I would need to setup an Off Site secondary server.

If you care about the availability of your DNS data, yes.


- Kevin

More information about the bind-users mailing list