Firewall Wizards mailing list archives
RE: Split DNS, who be recursive?
From: "Carson, Joe" <JCarson () smartronix com>
Date: Thu, 30 Mar 2000 16:16:11 -0500
Lance, A traditional split DNS design has both an internal DNS and an external DNS authoritive for your domain. The internal DNS holds the entries for all of your internal hosts. The external server would only hold the publicly addressable entries for your domain. From the internet, a query would be serviced by the external DNS, and would show only the public names. Inbound queries would be filtered at your premise to prevent outside attempts to query your internal server. When an inside user makes a DNS request, his resolver is pointing to the internal DNS. If the query is for the local domain, the internal DNS responds appropriately. In order to satisfy queries to external zones, the internal DNS must be configured as a "slave" to the external DNS. When a BIND server has the slave option set, it will forward any query that it is not authoritive for to the server listed in its "forwarders" statement. The query path is as follows: user's resolver queries www.intel.com. The query goes to the internal DNS server. The internal DNS determines that it is not authoritive for that zone, and forwards it to the external DNS. The external DNS recognizes that this is a forwarded request, and performs the lookup as normal (starting at the root servers...). When the external DNS receives the response, it returns the results to the internal DNS, who in turn returns it to the requesting host. The most common usage that I see for this type of split DNS architecture is on UNIX based firewalls. The firewall runs a copy of BIND and acts as the external DNS. The outside filters are configured to only allow DNS traffic to and from the firewall's address. A separate DNS could be established in the DMZ with a similar configuration. There are many ways to skin that cat. Lastly, some of the advantages are that you can limit the exposure of your zone information, and the address of your internal DNS is never seen as the source of queries. Joe W. Joseph Carson,CCNA,CCDA Chief Technical Officer Smartronix Inc. 703-630-4422 -----Original Message----- From: Lance Spitzner [mailto:lance () spitzner net] Sent: Wednesday, March 29, 2000 1:10 PM To: firewall-wizards () nfr net Subject: [fw-wiz] Split DNS, who be recursive? Looking for architect opinions on Split DNS. How do you configure your Internal DNS server? When someone on your internal network queries an Internet address, such as www.intel.com. Do you ... 1. Have your internal server do the query, starting with the root servers? 2. Have your internal server ask an upstream DNS server to do the query (such as your ISP). 3. Have your internal server redirect the client to another DNS server? Looking for security pros/cons of each option. Thanks! Lance Spitzner http://www.enteract.com/~lspitz/papers.html
Current thread:
- Re: Split DNS, who be recursive? Paul D. Robertson (Apr 04)
- Re: Split DNS, who be recursive? Lance Spitzner (Apr 10)
- <Possible follow-ups>
- Re: Split DNS, who be recursive? Don Kendrick (Apr 04)
- Re: Split DNS, who be recursive? aturner (Apr 04)
- Re: Split DNS, who be recursive? Bill_Royds (Apr 10)
- Re: Split DNS, who be recursive? Bennett Todd (Apr 10)
- RE:Split DNS, who be recursive? Jeffery . Gieser (Apr 10)
- RE: Split DNS, who be recursive? Carson, Joe (Apr 10)
- RE: Split DNS, who be recursive? Ben Nagy (Apr 10)
- Re: Split DNS, who be recursive? Chris Brenton (Apr 10)
- Re: Split DNS, who be recursive? Roger Marquis (Apr 10)
- RE:Split DNS, who be recursive? Bill_Royds (Apr 17)