Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Split DNS, who be recursive?

From: "Paul D. Robertson" <proberts () clark net>
Date: Thu, 30 Mar 2000 00:33:41 -0500 (EST)
On Wed, 29 Mar 2000, Lance Spitzner wrote:


Looking for architect opinions on Split DNS.
How do you configure your Internal DNS server?


(I saw something in BIND 8.1.1 or 8.2.x about virtual servers that struck
me as a thing to make this all easier, but never had time to dig in, so
you may want to look at that eventually)


When someone on your internal network queries
an Internet address, such as www.intel.com.

Do you ...

1.  Have your internal server do the query,
starting with the root servers?

2.  Have your internal server ask an upstream
DNS server to do the query (such as your ISP).



2.5 I've always had an external server that the internal server was
allowed to query that did lookups against the roots and recursively
answered queries.


3. Have your internal server redirect the
client to another DNS server?

Looking for security pros/cons of each option.


My gut reaction is *not* to let external DNS into the enterprise (due to
tunneling risks) and to make external communications go through proxies
that can hit an external recursive nameserver that goes to the roots.

That doesn't always work though.

FWIW, I think going to the roots provides a cleaner model when we get to
DNSSEC.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."
                                                                     PSB#9280
Previous By Date Next
Previous By Thread Next

Current thread: