I don't consider my self an expert in DNS but let me try to give it a
Split DNS implementations are usually ( at least for the case I know
)for the segregation of a private and public domains accompanied by the
firewall separation of the DNSes.
The Internal DNS server will serve as a root server to the Internal
Domain. Hence, you should set your db.cache file to reflect this. For
those who have BIND and DNS book 2nd edition, you can refer to Chapter
8, Growing your Domain : Coping with Disaster. But basically you set
the db.cache file to say
. 99999999 IN NS <Your primary DNS server>
I would think that other settings are similar to a normal DNS. Now the
question is : what if I need to resolve the outside world's domain ?
I would venture that in the named.boot file of the DNS you add a
forwarder <IP address of the External DNS> slave statement ( for BIND
4.x users > so that any query that is not known by the internal root
server will be forwarded automatically to the external DNS server seen
and interacting with the rest of the world.
Internally, if you have other zones not within your control, those DNS
servers might also forwarder slave to your internal DNS server.
Anyone else want to comment ?
>Received: from pub3.rc.vix.com (pub3.rc.vix.com [126.96.36.199])
> by ib.rc.vix.com (8.9.1/8.9.1) via ESMTP id CAA00513; Fri, 19 Feb 1999
> by pub3.rc.vix.com (8.9.1/8.9.1) id CAA23813; Fri, 19 Feb 1999
>Resent-Date: Fri, 19 Feb 1999 02:52:38 -0800 (PST)
>Subject: split-DNS-howto [was Re: Restricting Queries and allow-query]
>Date: Fri, 19 Feb 1999 11:51:02 +0100
>X-Mailer: Microsoft Outlook Express 4.72.3110.5
>X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
>>If you want to restrict outsiders from seeing your internal name
>>space, use split DNS. It's probably simpler and easier to maintain in
>>the long run than using ACLs.
>Good point. But has anyone had the time to write a "split-DNS-howto"
>theory, it sound quite simple, but in practice I've seen a lot of
>(And _I_ haven't overcome them all yet, so I would not be a good
>willing to contribute).
Get Your Private, Free Email at http://www.hotmail.com