Best practice MultiView
Petr Špaček
pspacek at isc.org
Thu Apr 20 12:35:58 UTC 2023
On 19. 04. 23 23:01, Greg Choules via bind-users wrote:
> Hi Jiaming.
> Here's what I would do. I am assuming one nameserver for the public zone
> and one (different) nameserver for the internal zones. You would use
> more in practice but I'm keeping it simple, for illustration.
>
> The external NS is reachable from anywhere in the Internet. If you host
> it in your own network, ideally do it on a public DMZ. It hosts one
> zone; example.com <http://example.com>. The NS name is
> externalns.example.com <http://externalns.example.com>.
>
> The internal NS is *not* reachable from anywhere in the Internet, only
> to internal hosts and probably on a private address (depends on your
> internal addressing scheme). It hosts three zones; internal1.example.com
> <http://internal1.example.com>, internal2.example.com
> <http://internal2.example.com>, internal3.example.com
> <http://internal3.example.com>. The name of the NS itself is
> internalns.internal1.example.com <http://internalns.internal1.example.com>
>
>
> EXTERNAL NS
> zone: example.com <http://example.com>
> @ SOA
> @ NS externalns
> internal1 NS internalns.internal1
> internal2 NS internalns.internal1
> internal2 NS internalns.internal1
> other records...
>
>
> INTERNAL NS
> zone internal1.example.com <http://internal1.example.com>
> @ SOA
> @ NS internalns
> internalns A 192.168.1.1
> other records....
>
> zone internal2.example.com <http://internal2.example.com>
> @ SOA
> @ NS internalns.internal1.example.com
> <http://internalns.internal1.example.com>.
> other records....
>
> zone internal3.example.com <http://internal3.example.com>
> @ SOA
> @ NS internalns.internal1.example.com
> <http://internalns.internal1.example.com>.
> other records....
>
>
> From an Internet source, the only NS that can be reached is
> externalns.example.com <http://externalns.example.com>. Queries could be
> made to it to learn that delegations exist for the internal zones and
> the name of the NS for those zones. However, they cannot resolve the IP
> address of internalns. Not that it would help anyway if it's
> 192.168.something and/or your firewalls block incoming DNS.
>
> It is not essential to have the delegations in externalns because
> internal clients do not use them anyway. However, it is recommend to
> have them because a) it is technically correct and b) it will be
> necessary for DNSSEC validation to work internally.
Let me add one thing:
Not having delegations is asking for problems _also_ because
non-existence of a domain is/can be cached on several levels.
When a client moves from external to internal view it might still "not
see" the internal domains because of the cache.
--
Petr Špaček
Internet Systems Consortium
More information about the bind-users
mailing list