2 Questions - forward zone and DNS firewalling
Bob Harold
rharolde at umich.edu
Fri Oct 26 14:40:40 UTC 2018
On Thu, Oct 25, 2018 at 4:34 PM N6Ghost <n6ghost at gmail.com> wrote:
> Hi All,
>
> have two questions first, I am not a huge fan of using forwarding zones
> and our "load balancing" team, has there zone delegated to them in a
> way that needs an internal forward zone to work properly on the inside
> and not rely on on internet POP.
>
> I want to move a core namespace to the load balancer but i want them to
> let me assign them a new zone thats internally authoritative and use it
> as the LB domain.
>
> which would be:
> cname name.domain.com -> newname.newzone.domain.com
>
> they want:
> cname name.domain.com -> newname.oldzone.domain.com
>
> old zone is directly delagated from outside to them so we need an
> internal forward zone for it. i dont want to rely on that.
>
> any thoughts on this? what can i use to present to management to win
> this?
>
The users should never see the domain that the CNAME points at, it is just
an internal name used by DNS. If they can change where "
newname.oldzone.domain.com" points more easily than "
newname.newzone.domain.com" then they might have a valid reason to want
it. Otherwise, newname.newzone.domain.com will be a faster and more
reliable choice.
Definitely avoid forwarding when possible. It causes slower lookups and
more points of failure. (There will occasional be times when it has some
advantage, or requirement.)
--
Bob Harold
>
> next, we where a bind shop but switched to infoblox for some stuff and
> now out grew it. and are going back to bind.
>
> but we started using the dns firewall part of it and they actually
> really liked it. any ideas for domain blacklisting? via some sort of
> feed etc? what is everyone doing for that sort of thing?
>
> thanks
>
> -N6Ghost
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20181026/afc5b3e1/attachment.html>
More information about the bind-users
mailing list