bind secure architecture.

Kevin Darcy kcd at daimlerchrysler.com
Sat Aug 20 00:52:45 UTC 2005 

Vincent Blondel wrote:

>Hi,
>
>We are currently using Bind on one FreeBSD 4.10 server. This server is directly used by internal users and internet clients.
>
>We decided recently to set up a real DMZ in our IT architecture. This is now done and we are already using an http proxy. Time is now
>to consider a complete new architecture for our Bind server.
>
>So I looked on the net for a complete secure and split ( internal , external ) architecture and have found that we coud mix next
>features :
>
>- internal root
>- split architecture could be done by the "VIEW" feature in BIND 9.x
>
>With such an architecture, we could complete configure all internal servers and subdomains for internal services and set up another
>configuration ( usual www, smtp, dns ) for specific external services.
>This configuration also involves that the internal root server has to forward the request on the net ( via our dmz gateway BIND Server
>)  for all domains we are not serving as SOA ( example google.com ).
>
>... and this is my specific problem, I don't immagine how I can configure this.
>
>So can somebody explain me how I can do it and/or eventually give me an example of configuration ???
>
No, don't try to mix root server with forwarding. Configure an 
"external" view on your internal nameserver, that forwards to the dmz 
gateway BIND server. Have the web proxy's address be the only thing that 
matches that view. If your web proxy is going to be handling internal as 
well as external HTTP requests, then you may have to define the apex of 
each domain you use internally as a "type stub". Optionally, if these 
zones have any subzones, add a "forwarders { };" to inhibit the 
forwarding of queries for any of their subzones. Basically, you're 
"overriding" forwarding selectively for those parts of the namespace, in 
this "external" view, and forcing the queries to be resolved internally.

Skeletal example:

view "external" {
    match-clients { web.proxy.add.ress; };
    forwarders { x.x.x.x; };
    forward only;

    zone "example.com" {
       type stub;
       file "external/example.com";
       masters { y.y.y.y; }; /* my address */
       forwarders { };
    };
};

view "internal" {
    match-clients { any; };

    zone "." {
       type master;
       file "internal/root";
    };

    zone "example.com" {
       type master;
       file "internal/example.com";
    };
};



                                                                         
                   

                                                                         
                                                                  - Kevin

More information about the bind-users mailing list