Firewalls: Re: split DNS (was Re: Firewall Product Review)

Firewalls
(February 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: split DNS (was Re: Firewall Product Review)
From:	woods @ ncar . ucar . edu (Greg Woods)
Date:	Fri, 10 Feb 95 17:17:07 MST
To:	firewalls @ greatcircle . com
In-reply-to:	<Pine . A32 . 3 . 91 . 950210152541 . 34455A-100000 @ maily1 . prodigy . com>; from "Frank Wortner" at Feb 10, 95 3:31 pm

> But wouldn't it also be possible to build a heirarchy of MX records like 
> this:
> 
> 	host.domain.ucar.edu	MX	100	bastion.ucar.edu
> 				MX	1	host.domain.ucar.edu
> 
> and avoid the split DNS altogether?  Hosts that can't get to 
> "host.domain.ucar.edu" would send mail to "bastion.ucar.edu"
> bastion would send the mail to "host.domain.ucar.edu".

Two problems with this. First of all, I don't control the DNS for every
subdomain. I would have to rely on every group sysadmin to install the
proper MX. Granted, if they didn't then their users couldn't get mail,
but this isn't very appetizing. Second, even if I did this, it would
require every outside machine that wants to send mail to one of our
hosts to first fail to initiate a direct connection to the host before
sending to the bastion.  This is at best rather unfriendly to the sites
trying to send us mail.  I'd rather not do that. Again, the split DNS
is easier.

--Greg

References:

Re: split DNS (was Re: Firewall Product Review)
From: Frank Wortner <frank @ prodigy . com>

Indexed By Date	Previous:	RE: Address translation From: Brent @ GreatCircle . COM (Brent Chapman)
Indexed By Date	Next:	CERN httpd vs http-gw From: Tom Fitzgerald <fitz @ wang . com>
Indexed By Thread	Previous:	Re: split DNS (was Re: Firewall Product Review) From: Frank Wortner <frank @ prodigy . com>
Indexed By Thread	Next:	Re: split DNS (was Re: Firewall Product Review) From: "Daniel O'Callaghan" <danny @ www . unimelb . edu . au>