Re: Split DNS, who be recursive?

[Lance Spitzner <lance () spitzner net>]

On Thu, 30 Mar 2000, Paul D. Robertson wrote:

> > Looking for architect opinions on Split DNS.
> > How do you configure your Internal DNS server?

> 2.5 I've always had an external server that the internal server was
> allowed to query that did lookups against the roots and recursively
> answered queries.

Thanks to all the great responses on different ways to implement
Split DNS.  Most of the responses were similar to Paul's above.
May I suggest we take it one step farther.

1. External DNS server in DMZ
His responsibility is to hand out the domain's zone information.
This DNS server does NOT know about the root servers, so it cannot
be recursive.  This means no one from the Internet can use this
box for looksups other then the organization's domain.  This helps
protect against nasties such as poison cache.

2.  Internal DNS server in Internal network
His responsibility is to hand out the internal information to
all internal systems.  He is NOT recursive, he only forwards
requests to DNS server #3.  This way he never talks directly
to the Internet (untrusted network).

3.  DNS server #3 in DMZ
His responsibility is to be recursive.  He does all Internet
lookups for the internal DNS server and any servers in the
DMZ that require name resolution (such as sendmail server).
This way no one from the Internet can initiate a connection to
your recursive DNS server.  This helps protect the integrity
of your DNS server that all your systems will be using for
name resolution.

Comments/Suggestions?



Lance Spitzner
http://www.enteract.com/~lspitz/papers.html