RE: Split DNS, who be recursive?

[Ben Nagy <bnagy () cpms com au>]

Personally? My ideal setup is that internal caching DNS server asks a
hardened DMZ DNS server to do the query. The external DNS server doesn't
cache and asks the root servers.

More inline...

Cheers!

--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304  Mobile: +61 414 411 520 

> -----Original Message-----
> From: Lance Spitzner [mailto:lance () spitzner net]
> Sent: Thursday, 30 March 2000 3:40 AM
> To: firewall-wizards () nfr net
> Subject: [fw-wiz] Split DNS, who be recursive?
>
>
> Looking for architect opinions on Split DNS.
> How do you configure your Internal DNS server?
>
> When someone on your internal network queries
> an Internet address, such as www.intel.com.
>
> Do you ...
>
> 1.  Have your internal server do the query,
> starting with the root servers?

Direct traffic from inside to outside - suboptimal in my book. If someone
can work out how to break your packet filters then they can access your DNS
server. UDP is traditionally hard to police effectively.

> 2.  Have your internal server ask an upstream
> DNS server to do the query (such as your ISP).

2nd best, IMO. Requires that one trust their ISP.

> 3. Have your internal server redirect the
> client to another DNS server?

No thanks. Direct client traffic to the outside - like point one but with
lots of hosts to worry about.

> Looking for security pros/cons of each option.
>
> Thanks!
>
> Lance Spitzner
> http://www.enteract.com/~lspitz/papers.html