Question About Internal Recursive Resolvers
Petr Špaček
pspacek at isc.org
Tue Oct 18 08:01:05 UTC 2022
On 14. 10. 22 18:08, Bob McDonald wrote:
> I'm thinking about redesigning an internal DNS environment. To begin
> with, all internal DNS zones would reside on non-recursive servers
> only. That said, all clients would connect to recursive resolvers.
>
> The question is this; do I use an internal root with pointers to the
> internal zones (as well as the outside DNS world) or do I include stub
> zones to point at the non-recursive internal servers?
>
> Access to the internal DNS zones would be controlled by location.
> (e.g. guest WiFi devices would NOT have access to internal DNS
> zones...)
>
> Recursive resolvers would allow implementation of features such as RPZ, etc.
I have a better proposition for you:
Use a properly delegated name like internal.example.com, where
example.com is a domain you own.
This way you don't need to mess with manual configuration for stub zones
or hints and keep them updated.
ACLs can be applied on auths as needed to limit access to the "internal"
zone from outside, but there is no technical reason why it cannot be
delegated from public tree - and it will save you lots of headache.
HTH.
--
Petr Špaček
More information about the bind-users
mailing list