Internal and external DNS configuration - how to
Kevin Darcy
kcd at daimlerchrysler.com
Thu Aug 5 22:43:11 UTC 2004
Andreas Schaefer wrote:
>Hello listmembers.
>
>Currently i try to use our internal nameserver (net 10.0.0.0/8) as a
>master for our private/internal names and for our public names. i
>have read a lot about split-brain configurations but there are some
>things that i may have overread or did not read at all.
>
>I want a nameserver on the internal network for all internal
>names like "mypc.int.domain.com" and external names like
>"www.domain.com" - ok. The public dns is setup as a slave dns
>to the internal master dns.
>
>Q: How does our public nameserver get the zone file for "domain.com"
> but not for "int.domain.com". As far as i know the slave will
> request zone transfers in case of change. But the internal
> master dns cannot be reached from the outside world?
> Is there a way to push the zone to the public (slave) dns
> from the internal (master) dns?
>
> P +--------------------------------------+
> U | public dns as slave for "domain.com" |
> B | can give authoritative answers |
> L +------+-------------------------------+
> I | 195.52.37.128/28
> C | /\
> +----+------------+ | Traffic flows
> | FIREWALL / NAT | | from inside to outside
> +----+------------+ |
> P | |
> R |
> I | 10.0.0.0/8
> V +-----------------------------------------------------------+
> A | priv. dns as master for "domain.com" and "int.domain.com" |
> T +-----------------------------------------------------------+
> E
>
No, there is no "push" version of zone transfers. Either your firewall
has to allow DNS transactions in both directions (if they want to get
fancy about it, they could restrict the outside-to-inside transactions
to SOA queries from a limited number of trusted outside server(s) to the
inside server), or you have to use another mechanism, and another
protocol (e.g. ssh and/or scp), for replicating the data. If you have a
good relationship with your security folks, then you might be able to
convince them that you can effectively prevent unauthorized DNS
transactions through the use of allow-query and/or allow-transfer on
your internal nameserver. If they insist on crypto-authentication, you
can accomplish that via TSIG-key restrictions.
- Kevin
More information about the bind-users
mailing list