split-DNS-howto [was Re: Restricting Queries and allow-query]

split-DNS-howto [was Re: Restricting Queries and allow-query]

Post by John Ta » Sat, 27 Feb 1999 04:00:00



I don't consider my self an expert in DNS but let me try to give it a
shot.

Split DNS implementations are usually ( at least for the case I know
)for the segregation of a private and public domains accompanied by the
firewall separation of the DNSes.

The Internal DNS server will serve as a root server to the Internal
Domain. Hence, you should set your db.cache file to reflect this. For
those who have BIND and DNS book 2nd edition, you can refer to Chapter
8, Growing your Domain : Coping with Disaster.  But basically you set
the db.cache file to say

.   99999999 IN   NS   <Your primary DNS server>

I would think that other settings are similar to a normal DNS. Now the
question is : what if I need to resolve the outside world's domain ?

I would venture that in the named.boot file of the DNS you add a
forwarder <IP address of the External DNS> slave statement ( for BIND
4.x users > so that any query that is not known by the internal root
server will be forwarded automatically to the external DNS server seen
and interacting with the rest of the world.

Internally, if you have other zones not within your control, those DNS
servers might also forwarder slave to your internal DNS server.

Anyone else want to comment ?

John


>Received: from pub3.rc.vix.com (pub3.rc.vix.com [204.152.186.34])
>    by ib.rc.vix.com (8.9.1/8.9.1) via ESMTP id CAA00513; Fri, 19 Feb 1999

02:52:38 -0800 (PST)


>    by pub3.rc.vix.com (8.9.1/8.9.1) id CAA23813; Fri, 19 Feb 1999

02:52:38 -0800 (PST)


>Resent-Date: Fri, 19 Feb 1999 02:52:38 -0800 (PST)



>Subject: split-DNS-howto [was Re: Restricting Queries and allow-query]
>Date: Fri, 19 Feb 1999 11:51:02 +0100
>MIME-Version: 1.0
>Content-Type: text/plain;
>    charset="iso-8859-1"
>Content-Transfer-Encoding: 7bit
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Mailer: Microsoft Outlook Express 4.72.3110.5
>X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3




>Precedence: list

>>If you want to restrict outsiders from seeing your internal name
>>space, use split DNS. It's probably simpler and easier to maintain in
>>the long run than using ACLs.

>Good point. But has anyone had the time to write a "split-DNS-howto"
yet? In
>theory, it sound quite simple, but in practice I've seen a lot of
pitfalls.
>(And _I_ haven't overcome them all yet, so I would not be a good
author, but
>willing to contribute).

>Ingo

______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
 
 
 

split-DNS-howto [was Re: Restricting Queries and allow-query]

Post by Matthew Thompso » Sat, 27 Feb 1999 04:00:00


Quote:>Split DNS implementations are usually ( at least for the case I know
>)for the segregation of a private and public domains accompanied by the
>firewall separation of the DNSes.
>Anyone else want to comment ?

I also use a split DNS system to push internal request for externally
available sites through the internal network port on the appropriate
machines. This allows for easy filtering of stats and allows us to keep
our external and internal networks clean.


 
 
 

split-DNS-howto [was Re: Restricting Queries and allow-query]

Post by Cricket L » Tue, 02 Mar 1999 04:00:00



Quote:>The Internal DNS server will serve as a root server to the Internal
>Domain.

The term "root server to the internal domain" doesn't really mean
anything.

Quote:>Hence, you should set your db.cache file to reflect this. For
>those who have BIND and DNS book 2nd edition, you can refer to Chapter
>8, Growing your Domain : Coping with Disaster.

Actually, the last chapter ("Miscellaneous") is probably a better
reference, both for the second and third editions.

Quote:>But basically you set the db.cache file to say

>.   99999999 IN   NS   <Your primary DNS server>

>I would think that other settings are similar to a normal DNS. Now the
>question is : what if I need to resolve the outside world's domain ?

Today, if you use internal roots, you don't resolve Internet domain
names.

Quote:>I would venture that in the named.boot file of the DNS you add a
>forwarder <IP address of the External DNS> slave statement ( for BIND
>4.x users > so that any query that is not known by the internal root
>server will be forwarded automatically to the external DNS server seen
>and interacting with the rest of the world.

If you configure an internal root name server to use another name
server as a forwarder, it won't forward anything.

cricket

Acme Byte & Wire

www.acmebw.com

Attend our next DNS and BIND class!  See
www.acmebw.com/training.htm for the
schedule and to register for upcoming
classes.

 
 
 

split-DNS-howto [was Re: Restricting Queries and allow-query]

Post by Cricket L » Fri, 05 Mar 1999 04:00:00



Quote:>I am working through a related problem, in which I am setting up a DNS server
>which is a caching only server for both intranet and internet DNS.  Is split
>DNS they way to go here also?  I need my DNS server to listen to DNS requests
>on a private IP network and then forward the requests to the internal root
>servers or internet root servers.

>Traditionally forwarding would fail if the request goes to one DNS and it
>replies with 'I don't know'.  Rather I need a mechanism to scrape off only
>intranet domains and forward them to the intranet root servers if they are not
>already cached; otherwise it's off to the internet roots if its not cached.

>Has anyone done this?  What version of Bind did you use, are there any hints
>you can offer me?

The only way I can think of to do this is to use the (very) new
flexible forwarding mechanisms in BIND 8.2 (now in beta testing).  You
could configure your BIND 8.2 name server with the Internet root hints
file and then set conditional forwarding to send queries for your
internal zones to the correct name servers.

cricket

Acme Byte & Wire

www.acmebw.com

Attend our next DNS and BIND class!  See
www.acmebw.com/training.htm for the
schedule and to register for upcoming
classes.

 
 
 

split-DNS-howto [was Re: Restricting Queries and allow-query]

Post by Jakob Schlyte » Fri, 05 Mar 1999 04:00:00



> The only way I can think of to do this is to use the (very) new
> flexible forwarding mechanisms in BIND 8.2 (now in beta testing).  You
> could configure your BIND 8.2 name server with the Internet root hints
> file and then set conditional forwarding to send queries for your
> internal zones to the correct name servers.

Did this flexible forwarding mechanisms make it into 8.2-T6B?

/Jakob

--

Phone:  +46 31-772 59 19                     Computer Communications Group
Fax:    +46 31-772 59 22                     Chalmers University of Technology
http://www.cdg.chalmers.se/~jakob/           SE-412 96 Goteborg, Sweden

 
 
 

split-DNS-howto [was Re: Restricting Queries and allow-query]

Post by Cricket Li » Fri, 05 Mar 1999 04:00:00




>> The only way I can think of to do this is to use the (very) new
>> flexible forwarding mechanisms in BIND 8.2 (now in beta testing).  You
>> could configure your BIND 8.2 name server with the Internet root hints
>> file and then set conditional forwarding to send queries for your
>> internal zones to the correct name servers.

>Did this flexible forwarding mechanisms make it into 8.2-T6B?

Yes.  See the zone statement, type forward.

cricket

Acme Byte & Wire   | http://www.acmebw.com/

Attend our next DNS and BIND class! See
www.acmebw.com/training.htm for the
schedule and to register for upcoming
classes.

 
 
 

split-DNS-howto [was Re: Restricting Queries and allow-query]

Post by Ingo T. Stor » Sat, 06 Mar 1999 04:00:00


Hi,

Quote:>I am working through a related problem, in which I am setting up a
>DNS server which is a caching only server for both intranet and
>internet DNS.  

I use the following topolgy for the same purpose:

- A and B are internal server, using C and D as forwarders.

- C and D are external servers.

- All internal hosts use A and B as servers.

Ingo

 
 
 

split-DNS-howto [was Re: Restricting Queries and allow-query]

Post by John Ta » Wed, 10 Mar 1999 04:00:00


Hi,

Can I just ask what happens if you have split domain DNS and in your
intranet domain, you also have internal sites that have both internet
and intranet domain ? Can these sites also implement split DNS and do
conditional forwarding to my internal root server in my intranet ?

Thanks for your help.




>Subject: Re: split-DNS-howto [was Re: Restricting Queries and
allow-query]
>Date: Thu, 4 Mar 1999 22:09:42 +0100 (MET)


>> The only way I can think of to do this is to use the (very) new
>> flexible forwarding mechanisms in BIND 8.2 (now in beta testing).  
You
>> could configure your BIND 8.2 name server with the Internet root
hints
>> file and then set conditional forwarding to send queries for your
>> internal zones to the correct name servers.

>Did this flexible forwarding mechanisms make it into 8.2-T6B?

>/Jakob

>--

>Phone:  +46 31-772 59 19                     Computer Communications
Group
>Fax:    +46 31-772 59 22                     Chalmers University of
Technology
>http://www.cdg.chalmers.se/~jakob/           SE-412 96 Goteborg, Sweden

Get Your Private, Free Email at http://www.hotmail.com
 
 
 

1. split-DNS-howto [was Re: Restricting Queries and allow-query]

Good point. But has anyone had the time to write a "split-DNS-howto" yet? In
theory, it sound quite simple, but in practice I've seen a lot of pitfalls.
(And _I_ haven't overcome them all yet, so I would not be a good author, but
willing to contribute).

Ingo

2. J++ and forms

3. Restricting Queries and allow-query

4. Must be an APP to......

5. BIND8: "unapproved query" with "allow-query { any }"

6. CALL FOR VOTES: comp.lang.clos

7. allow-query does not seem to restrict access to version.bind in 9.2.1

8. problem with lamp module and TW523

9. Question on DNS "options allow-query"

10. allow-recursion & allow-query

11. Getting DNS Statistics (Query in / Query Out, Errors and others)

12. option allow-query