Great Circle Associates Firewalls
(July 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: split-brain DNS
From: "Lack Mr G M" <gml4410 @ ggr . co . uk>
Date: Mon, 1 Jul 1996 12:04:17 +0100
To: Dan Shadix <shadixdl @ gccs . cpf . navy . mil>
Cc: "'Firewalls @ GreatCircle . COM'" <Firewalls @ GreatCircle . COM>
In-reply-to: Dan Shadix <shadixdl @ gccs . cpf . navy . mil>
References: <01BB645B . 80CF6E60 @ gccs25 . gccs . cpf . navy . mil> 
> Why can't you make the one master DNS server secondary for all your internal
sub-domains?  Then if a request is for a domain for which it is authoritative,
it will just respond, if not then it will go to the Internet at large.

   Whereas this might work (ie. it sounds as though it will, but I haven't
thought it through completely) this would leave me with the master server being
authoratative for everything.  This would push the size of its database up from
ca. 8000 to ca. 40000 entries (guessing here, but of that order).  I don't have
the memory on the servers for such numbers.

   Also, it strikes me as being against the "spirit" of DNS.  Relatively few
queries go "between" domains, so I don't want this master server to spend a lot
of its time doing zone queries for timestamps and frequent zone transfers just
for these.  I just want to send the query off to the relevant server, just as
in the "full" InterNET.

   A logical extension of your solution would be to get all of the root name
servers to become secondaries for all domains, and I'm sure that we can agree
that would be a disaster!

>    Not sure that the problem described is the one I have, but there is no way
> for this to work if you have multiple private domains (ie. not just
> sub-domains).  You can get all of these to forward to an internal master, but
> you can't get this master to forward the relevant queries back to the
internal
> domains (as you can't "prime" the cache with non-root servers).  So the
> internal master asks the real root servers about your internal domains and
> beleives that they do not exist.  The result is that you can't resolve one
> internal domain from another.
>
>    Now, even if you do have a single domain with sub-domains it is quite
likley
> that the *reverse lookup* domains are separate, so you have the problem then
> anyway.
>
>    I have had to use a modified version of 4.9.3B9 which, basically, does
allow
> me to prime the cache with internal name servers.

--
----------- Gordon Lack ----------------- gml4410 @
 ggr .
 co .
 uk  ------------
The contents of this message *may* reflect my personal opinion.  They are
*not* intended to reflect those of my employer, or anyone else.
Follow-Ups:
Indexed By Date Previous: Help with cisco access list?
From: ccfj @ hippo . ru . ac . za (F. Jacot Guillarmod)
Next: firewall certification (was Re: NCSA)
From: "Marcus J. Ranum" <mjr @ clark . net>
Indexed By Thread Previous: Help with cisco access list?
From: ccfj @ hippo . ru . ac . za (F. Jacot Guillarmod)
Next: Re: split-brain DNS
From: Natchu Vishnu Priya <vishnu @ brahma . iitm . ernet . in>
Google
 
Search Internet Search www.greatcircle.com