How should I configure internal and external DNS servers

Andrew Latham lathama at gmail.com
Fri Nov 3 16:01:48 UTC 2023 

* That sounds like a sadly normal implementation but yes you can do better
* Views is a good place to look https://kb.isc.org/docs/aa-00851
* Make sure to investigate how the company VPN services handle DNS as it
may surprise you

On Fri, Nov 3, 2023 at 9:52 AM Nick Howitt via bind-users <
bind-users at lists.isc.org> wrote:

> Hi,
>
> I am fairly new to bind but I am thinking my company's use of it is
> sub-optimal. We have two bind masters (and a few slaves), one for
> internal use so all our internal servers point to it or its slaves as
> their DNS resolvers. I will call the internal one bind-internal and the
> external one bind-external.
>
> Bind-internal is set up as authoritative for the domain example.com.
> Bind-external is also set up as authoritative for example.com.
>
> Bind-internal has all sorts of entries resolving in the 10.30, 10.40 and
> other private ranges, but it also has entries resolving to our public
> IP's e.g. demo.example.com resolves to 1.2.3.4 (terminated by an F5),
> which is one of our public ips (munged). As this site is externally
> accessible as well, we also have to put an identical entry in
> bind-external so we end up having many identical entries in
> bind-internal and bind-external. We also have some other domains covered
> by bind-internal with external IPs, but externally they are covered by
> the domain host's DNS and they have the same issue where in
> bind-internal we have some public IP's which are also in the domain
> host's DNS for external access.
>
> I have a feeling this is a sub-optimal setup, having to maintain
> external IPs in both bind-internal and bind-external. Does it make sense
> to stop bind-internal from being authoritative and make it a
> resolver/caching name server? This way, if it does not find an entry in
> bind-internal it will then go out to either bind-external or the domain
> host's DNS to get the answer from the authoritative servers and then
> there is no need to maintain external IPs in bind internal.
>
> TIA,
>
> Nick
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
- Andrew "lathama" Latham -
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20231103/c04ec139/attachment.htm>

More information about the bind-users mailing list