How should I configure internal and external DNS servers
Nick Howitt
nick at howitts.co.uk
Sat Nov 4 19:43:54 UTC 2023
As on other replies, a different internal zone is a huge project for the
company, not a quick win, unfortunately.
On 04/11/2023 08:55, Michael Richardson wrote:
> Given VPNs, RemoteAccess and the like, I strongly recommend against split-DNS
> configurations. They were great ideas in 1993, when all sites were concave,
> but that's just not the case anymore.
>
> Instead, I recommend having a sub-zone, "internal.example.com", or some other
> convenient name. Put a zone split ("NS" and "DS" records) there, and then
> limit who can do queries to this zone by IP address. You'd acceptlist all of
> your VPN sites, the v4 (RFC1918) and v6 (subnet) prefixes for your remote
> access clusters.
>
> Split-DNS finally has some actual IETF definition at:
> https://datatracker.ietf.org/doc/draft-ietf-add-split-horizon-authority/
>
> I'm specifically arguing to do:
> https://www.ietf.org/archive/id/draft-ietf-add-split-horizon-authority-06.html#name-internal-only-subdomains
>
> It's just so much easier, particularly if you are starting from scratch.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20231104/f459db3e/attachment.htm>
More information about the bind-users
mailing list