Internal roots and Internet access ?

Kevin Darcy kcd at daimlerchrysler.com
Sat Mar 23 00:35:41 UTC 2002 

No, you're basically stuck. The way all of your remote nameservers are
configured, they are sending "iterative" queries to your internal root
nameservers. Iterative queries, as opposed to recursive queries, are never
forwarded. So if you were thinking that your internal root nameservers could
just forward the Internet queries to the Internet root nameservers, that idea
won't work.

The only way I could think of that you could get away with not changing the
configurations of the remote nameservers is to play some sort of
routing/NAT games to fool them into thinking that the Internet root nameservers
have addresses on your internal network. That solution is too ugly to live.

Seems to me that at the very least you'll have to change the remote
nameservers' configurations from an "internal root hints" one to an "Internet
root hints" one (if/where the remote nameservers have connectivity to all
Internet nameservers through the packet-filtering firewall) or a "global
forwarding" one (if/where they don't).


- Kevin

"Seifert, Reinhold (EDP Sys.)" wrote:

> Hi all,
>
> I'm sure this has been asked several times (therefore I apologize), but
> still
> I have no clue whatsoever how to solve my DNS problem I describe below,
> even though I looked through the list archive ... therefore I ask.
>
> Background:
> Currently, we have a proxying firewall. None of the internal clients and
> nameservers
> have direct Internet access. In our headquarter we have two internal *root*
> name servers
> which delegate directly from root to "ourdomain.com." Two other boxes run
> the master
> and slave DNS for "ourdomain.com".
> Other (also internal) offsite locations connected via LAN/WAN to the
> headquarter run
> their own DNS for the corresponding subdomain, e.g. "xyz.ourdomain.com", as
> master.
> For redundancy reasons the name servers in the headquarter are slaves for
> those
> subdomains. All internal name servers use a "db.cache" root hint that points
> at the
> headquarter's internal root name servers.
>
> Now we are going to replace our proxying firewall by packet-filtering
> firewalls.
> This introduces the need that at least part of the internal clients will be
> able to
> resolve Internet names.
>
> That is the point where I'm stuck. Is it possible to keep the "internal
> roots" concept ?
> I have read anything between "Nope, now way" and "Yes, but tricky".
> The main reason I am asking is because I have almost no control over the DNS
> at the
> offsite locations. If at all possible I would like to avoid to change the
> various DNS
> (NT/W2k DNS, Novell, BIND 4.8, 4.9, 8.x ..) setups over there.
>
> Any help/comments/hints is very much appreciated.
> Thanks,
>
> -Reinhold

More information about the bind-users mailing list