Firewall Wizards mailing list archives

RE:Split DNS, who be recursive?

From: Jeffery.Gieser () minnesotamutual com
Date: Thu, 30 Mar 2000 11:05:28 -0600


#1.  Have your internal server do the query, starting with the root servers?

This would be less restrictive than option 2 because you would have to allow
your internal DNS server
to communicate with all external DNS servers on port 53 through your
firewall.


#2.  Have your internal server ask an upstream DNS server to do the query
(such as your ISP).

This is most restrictive (my favorite). The only DNS traffic going through
your firewall would be
initiated by your internal DNS server and going to one external DNS server
that you are forwarding
your queries to.

#3. Have your internal server redirect the client to another DNS server?

I am not sure how you would do this but it is the least restrictive because
you would need to allow
all of your internal computers (not just one DNS server) to contact all
external DNS servers on port 53.

If I were designing a split DNS setup then this is what I would do.

Internal DNS server ----> Firewall with proxy ----> External DNS server
Primary domain.com        for port 53 traffic       Primary domain.com

1. Set up an internal DNS server that is primary for domain.com.  Include all
hostnames in domain.com.
Configure it so that it forwards all queries that it cannot resolve to the
external DNS server. Do not
advertize the internal DNS server as an authoritative server for domain.com.
Have all internal
computers go to this server for DNS resolution.

2. Set up your proxy on the firewall to only allow DNS traffic on TCP port 53
and UDP port 53 initiated
by the internal DNS server and going only to the external DNS server.  If you
can have an application
layer proxy here then only allow queries through and not zone transfers.

3. Set up an external DNS server that is also primary for domain.com and
advertize it on the internet
as the authoritative name server for domain.com.  Only include A records and
PTR records for hosts that
you want people on the internet to know about.  This is usually just web
servers and mail servers.

Regards,
Jeffery Gieser

Current thread:

Re: Split DNS, who be recursive? Paul D. Robertson (Apr 04)
- Re: Split DNS, who be recursive? Lance Spitzner (Apr 10)
- <Possible follow-ups>
- Re: Split DNS, who be recursive? Don Kendrick (Apr 04)
- Re: Split DNS, who be recursive? aturner (Apr 04)
- Re: Split DNS, who be recursive? Bill_Royds (Apr 10)
- Re: Split DNS, who be recursive? Bennett Todd (Apr 10)
- RE:Split DNS, who be recursive? Jeffery . Gieser (Apr 10)
- RE: Split DNS, who be recursive? Carson, Joe (Apr 10)
- RE: Split DNS, who be recursive? Ben Nagy (Apr 10)
- Re: Split DNS, who be recursive? Chris Brenton (Apr 10)
- Re: Split DNS, who be recursive? Roger Marquis (Apr 10)
- RE:Split DNS, who be recursive? Bill_Royds (Apr 17)