Forward from root DNS!

Thu Jan 15 12:06:58 UTC 2004

=46redrik H=C2kansson wrote:

>I'm in control over two root name servers on a huge companys Intranet. They
>are authoritative for ".", ".net" and "in-addr.arpa.". Subzones are
>delegated to various servers within the company.
>
>My question is, would it be possible to have selective forward statements
>for some zones located on Internet from these root name servers? Remember
>that we also need to answer on non recursive queries since DNS clients are
>configured to use DNS servers spread around the organization.

This is something similar to my situation (except=20
no-one is in control !) I proposed to our group=20
that we run a split-horizon name service, but a=20
couple of elements refused to bring DNS in-house*

I looked at re-defining the root nameservers, but=20
then you have the problem of not being able to=20
resolve anything outside. It's a much more=20
manageable task to manage the domain names you=20
use internally, than try and manage any domain=20
name that you might want to use externally !

With split-horizon, you configure your=20
authoritative nameservers for all your domain=20
names using the Bind views feature. They each=20
have an internal and external view, and respond=20
with the internal data to internal requests. The=20
effect is that clients inside your network get=20
internal addresses for servers, but everyone else=20
gets the external views. For a bit more, see this=20
link I was provided with a while back :

>From: Jonathan de Boyne Pollard <J.deBoynePollard at tesco.net>
>
>SH> What I thought could work would be :
>
>This is "split horizon" DNS service with multiple databases,
>one of the ways of setting up "split horizon" DNS service.
>
><URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-split-horizon.ht=
ml#MultipleDatabases>

An alternative is simply to configure the 'root'=20
name servers normally, but define all the domain=20
names used internally. So if you in=20
widgetsinc.com need to resolve internal addresses=20
for thingamies.com, then you would simply define=20
the zone for thingamies.com (eg) :

zone "thingamies.com" {
   type slave/stub/forwarder <as required>
   masters ( xxx.xxx.xxx.xxx ; ... ) ;
}

On the assumption that you do this on all name=20
servers that internal clients may query, then=20
these zone definitions will be used before=20
querying the real root servers for the real zone=20
glue, hence your internal clients will correctly=20
resolve the internal addresses.

Both work, they just have different=20
administrative requirements - and different scope=20
for cock ups !

Simon

* Understandable when they get the majority of=20
sales through web servers, and the thought of a=20
cock-up losing their DNS resolution didn't appeal=20
to them.

-- 

NOTE: This is a throw-away email address which=20
will reach me for as long as it stays spam-free,=20
remove date for real address.

Simon Hobson, Technology Specialist
Colony Gift Corporation Limited
Lindal in Furness, Ulverston, Cumbria, LA12 0LD
Tel 01229 461100, Fax 01229 461101

Registered in England No. 1499611
Regd. Office : 100 New Bridge Street, London, EC4V 6JA.