On Feb 13, 9:35am, Mike Williams wrote:
> Subject: Re: Spit DNS - Another way
> >>> "Kurt" == Kurt Kessel <kkessel @
hteinc .
com> wrote:
>
> Kurt> The trick would be to configure the firewall as a DNS client of
> Kurt> both DNS servers ([external] and internal).
>...
>
> Luckily, Marcus Ranum (he of FWTK fame) has already implemented this very
> scheme ... check out his code at
>
> http://www.clark.net/pub/mjr/pubs/dns/
>
> Another benefit that you didn't mention is that the bastion can still
> resolve external names even when the internal nameserver(s) is(/are) down.
But a disadvantage of it is that it doesn't do anything to help the
internal name server resolve other internal domains. I'm sure there are
many corporate networks with multiple internal domains running from
multiple *internal* primaries. What is required is a way to tell each
of these primaries that the other internal primaries *are* internal.
Currently, all you can do is send antything that you are not a primary
or secondary for to a forwarder, unless you have patched code to allow
you to configure other *internal* name servers (which fortuantley for
me, I do).
--
----------- Gordon Lack ----------------- gml4410 @
ggr .
co .
uk ------------
The contents of this message *may* reflect my personal opinion. They are
*not* intended to reflect those of my employer, or anyone else.
References:
|
|
