How should I configure internal and external DNS servers
Michael Richardson
mcr at sandelman.ca
Sat Nov 4 08:55:57 UTC 2023
Given VPNs, RemoteAccess and the like, I strongly recommend against split-DNS
configurations. They were great ideas in 1993, when all sites were concave,
but that's just not the case anymore.
Instead, I recommend having a sub-zone, "internal.example.com", or some other
convenient name. Put a zone split ("NS" and "DS" records) there, and then
limit who can do queries to this zone by IP address. You'd acceptlist all of
your VPN sites, the v4 (RFC1918) and v6 (subnet) prefixes for your remote
access clusters.
Split-DNS finally has some actual IETF definition at:
https://datatracker.ietf.org/doc/draft-ietf-add-split-horizon-authority/
I'm specifically arguing to do:
https://www.ietf.org/archive/id/draft-ietf-add-split-horizon-authority-06.html#name-internal-only-subdomains
It's just so much easier, particularly if you are starting from scratch.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 658 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20231104/c785684c/attachment.sig>
More information about the bind-users
mailing list