RE:Split DNS, who be recursive?

[Bill_Royds () pch gc ca]

This is the structure of our split DNS and it generally works well. There are a
couple of questions I would ask of it thoiugh.

1./ What is the best way of handling internal secondaries?
     a) have them always forward any external request to primary which then
recurses through firewall.
     b) every secondary can contact external DNS to fulfil requests.
 Option a builds up a good cache in your primary DNS server but gives a lot of
work to primary and creats a longer serial pipeline.
Option b maybe slightly less secure but speeds up request for new DNS entries.

2./ How should you handle DNS in a segregated server segment (off third NIC on
firewall).
     a1) have it be secondary to external (DMZ) server (allowing zone transfers
from external server to server segment)
     a2) have server segment machines use external as DNS server with no DNS
server on server segment.
     b1) have it be secondary to internal DNS server (forcing zone transfers
through firewall).
     b2) have servers use internal as DNS server (allowing queries from server
to internal through firewall).
     c)   have it be primary with its own knowledge.

Each of these has its good and bad points in efficiency, security and
complexity. Thoughts?





Jeffery.Gieser () minnesotamutual com on 30/03/2000 12:05:28 PM

Please respond to Jeffery.Gieser () minnesotamutual com
                                                              
                                                              
                                                              
 To:      "firewall-wizards () nfr net"                          
          <firewall-wizards () nfr net>                          
                                                              
 cc:      (bcc: Bill Royds/HullOttawa/PCH/CA)                 
                                                              
                                                              
                                                              
 Subject: RE:[fw-wiz] Split DNS, who be recursive?            
                                                              






#1.  Have your internal server do the query, starting with the root servers?

This would be less restrictive than option 2 because you would have to allow
your internal DNS server
to communicate with all external DNS servers on port 53 through your
firewall.


#2.  Have your internal server ask an upstream DNS server to do the query
(such as your ISP).

This is most restrictive (my favorite). The only DNS traffic going through
your firewall would be
initiated by your internal DNS server and going to one external DNS server
that you are forwarding
your queries to.

#3. Have your internal server redirect the client to another DNS server?

I am not sure how you would do this but it is the least restrictive because
you would need to allow
all of your internal computers (not just one DNS server) to contact all
external DNS servers on port 53.

If I were designing a split DNS setup then this is what I would do.

Internal DNS server ----> Firewall with proxy ----> External DNS server
Primary domain.com        for port 53 traffic       Primary domain.com

1. Set up an internal DNS server that is primary for domain.com.  Include all
hostnames in domain.com.
Configure it so that it forwards all queries that it cannot resolve to the
external DNS server. Do not
advertize the internal DNS server as an authoritative server for domain.com.
Have all internal
computers go to this server for DNS resolution.

2. Set up your proxy on the firewall to only allow DNS traffic on TCP port 53
and UDP port 53 initiated
by the internal DNS server and going only to the external DNS server.  If you
can have an application
layer proxy here then only allow queries through and not zone transfers.

3. Set up an external DNS server that is also primary for domain.com and
advertize it on the internet
as the authoritative name server for domain.com.  Only include A records and
PTR records for hosts that
you want people on the internet to know about.  This is usually just web
servers and mail servers.

Regards,
Jeffery Gieser