How do I setup the Split-Horizon DNS?

[Kevin Darcy]

batmon wrote:

> Hi,
>
> I have a Checkpoint FW box with internal, external and DMZ interface.
> The problem I am having is that internal LAN not able to access the
> web server in our DMZ when enter our web server's external IP address.
>  Check some references and people suggest I need to setup a
> split-horizon DNS to make this work.  Anyone has experiecnes with the
> split-horizon??  Sounds like I need to have a DNS server in the
> interal LAN and only handle internal IPs, and a DNS Server in the DMZ
> that handle the web server in the DMZ.  Is that correct?  For the DNS
> server in the DMZ, do I enter web server's external (public) IP
> address or the DMZ (private) IP address?  Do I need to tell the
> internal DNS Server to forward those unknowns to this DMZ DNS Server?
> How do I make this work?  Please help, thank you.

"Split horizon" isn't really preferred terminology. Around here, we
usually just say "split namespace" or simply "split DNS".

The most elegant way of implementing split DNS is to use the
"view" mechanism of BIND 9 to run both an "internal" and
"external" version of your namespace (usually the internal version is a
superset of the external version, with disparate addresses if NAT is in
effect), maintained in parallel, with the appropriate version of the
namespace presented to clients depending on their source address. One of
the additional benefits of running both namespaces on the same box (as
opposed to the old-fashioned way where they had to run on separate
nameservers) is that you can share the common entries between views via
an $INCLUDE file. (Well, I suppose back in the day one could have NFS'ed
the $INCLUDE file between the nameservers, but that's pretty scary...)


- Kevin