Internal and external DNS configuration - how to

Kevin Darcy kcd at daimlerchrysler.com
Thu Aug 5 22:43:11 UTC 2004 

Andreas Schaefer wrote:

>Hello listmembers.
>
>Currently i try to use our internal nameserver (net 10.0.0.0/8) as a 
>master for our private/internal names and for our public names. i 
>have read a lot about split-brain configurations but there are some 
>things that i may have overread or did not read at all.
>
>I want a nameserver on the internal network for all internal
>names like "mypc.int.domain.com" and external names like 
>"www.domain.com" - ok. The public dns is setup as a slave dns 
>to the internal master dns.
>
>Q:  How does our public nameserver get the zone file for "domain.com" 
>    but not for "int.domain.com". As far as i know the slave will 
>    request zone transfers in case of change. But the internal 
>    master dns cannot be reached from the outside world? 
>    Is there a way to push the zone to the public (slave) dns 
>    from the internal (master) dns?
>   
>    P    +--------------------------------------+
>    U    | public dns as slave for "domain.com" |
>    B    |   can give authoritative answers     |   
>    L    +------+-------------------------------+
>    I           | 195.52.37.128/28
>    C           |                     /\
>           +----+------------+        |  Traffic flows
>           | FIREWALL / NAT  |        |  from inside to outside
>           +----+------------+        |
>    P           |                     |
>    R           | 
>    I           | 10.0.0.0/8
>    V     +-----------------------------------------------------------+    
>    A     | priv. dns as master for "domain.com" and "int.domain.com" |
>    T     +-----------------------------------------------------------+
>    E         
>
No, there is no "push" version of zone transfers. Either your firewall 
has to allow DNS transactions in both directions (if they want to get 
fancy about it, they could restrict the outside-to-inside transactions 
to SOA queries from a limited number of trusted outside server(s) to the 
inside server), or you have to use another mechanism, and another 
protocol (e.g. ssh and/or scp), for replicating the data. If you have a 
good relationship with your security folks, then you might be able to 
convince them that you can effectively prevent unauthorized DNS 
transactions through the use of allow-query and/or allow-transfer on 
your internal nameserver. If they insist on crypto-authentication, you 
can accomplish that via TSIG-key restrictions.

                                                                         
                                       - Kevin

More information about the bind-users mailing list