2 Questions - forward zone and DNS firewalling
N6Ghost
n6ghost at gmail.com
Fri Oct 26 16:39:45 UTC 2018
On Fri, 26 Oct 2018 09:46:39 -0600
Grant Taylor via bind-users <bind-users at lists.isc.org> wrote:
> On 10/26/2018 01:08 AM, N6Ghost wrote:
> > maybe its just old habits,
>
> Fair enough. I know that I have plenty of my own old (¿bad?) habits
> too.
>
> > i think its a bad idea to build your infrastructure in a way the
> > needs forward zones to work. not when you can build it with proper
> > delegation.
>
> > i just think when building namespaces proper delegation should be
> > used and forward zones should be avoided if you can.
>
> Ah.
>
> I see forward zones, and slaving, as tools to help enable restricted
> environments work. Specifically where there is proper delegation as
> seen by the larger organization and / or the Internet. I've had a
> few departments where they were not allowed to access anything
> outside their network. So their local DNS server (running on a
> multihomed bastion) would slave or forward zones from the larger
> organizational namespace. The limitation was imposed by the small
> department, not an issue with the overall namespace.
>
>
>
i agree with this, forward is a use it you must, avoid if you can. but
valable tool for all sorts of wacky use cases.
but if your planning out critical namespaces... you should not PLAN on
forward zones. unless you have to. thats just a micky mouse way of doing
it. your just assuming to much with forward zones.
More information about the bind-users
mailing list