Great Circle Associates Firewalls
(April 1998)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Split DNS config questions
From: Leonard Miyata <leonard @ geminisecure . com>
Date: Wed, 1 Apr 1998 09:55:18 -0800 (PST)
To: Michael Batchelor <Michael_Batchelor @ citysearch . com>
Cc: firewalls @ GreatCircle . COM
In-reply-to: <9494F3B8EDAED111949B00600815D1C576D43B @ mail . citysearch . com>

Hi There

First, the best reference for this subject is
  Building Internet Firewalls, Chapman & Zwicky
  DNS and Bind 2ND EDITION!! Albitz & Liu
Both from O'Reilly & Associates, Inc.
The Two together provide a good write up on the interactions of DNS
Firewalls and DMZ configurations

The entire purpose of 'Split' DNS is to set up a Private DNS
infrastructure to resolve  your internal Private Address, and your
Public Address their allowed to Talk to. Meanwhile, your Official
Public DNS Server Contains your Public address, and resolves Internet
connections. Since the Public Server does not know your internal Address,
the 'Split' DNS configuration 'hides' the internal addresses from public
view. By the way... they both use 'Your Domain' but they are duplicate

For Complete isolation, not only do you need your Private Primay and 
Secondary DNS Servers, you also need a Private root Server granting your
Private Primary Authoritative for the domain.

Personal Opinions Provided by
Leonard Miyata
aka leonard @
 geminisecure .
Gemini Computers Inc.

On Tue, 31 Mar 1998, Michael Batchelor wrote:

> I am having some trouble understanding how split DNS is supposed to
> work.  I am using BIND 8.1.1 on Irix 6.2.  I have looked up some info on
> the web about split DNS (fwtk FAQ, for instance, has a short tutorial),
> and have gone over the discussion in the Cheswick/Bellovin firewalls
> book, but still have some unresolved questions:
> 1.  If I want to use the same domain for internal and external, how does
> the internal DNS server know when to forward to the firewall?  I set up
> the internal name server as primary for, but
> is an external host.  The internal server doesn't want to forward
> queries for to the firewall.  It returns NXDOMAIN for
> all outside hosts in the same domain, if the internal server doesn't
> have a record.  Must I set up a different internal domain for inside
> DNS?  That works, by the way, but I was under the impression that split
> DNS worked with the same domain inside and outside.  It's really
> inconvenient for me to have to make or whatever.
> 2.  I prepared a named.cache file for the internal DNS server that lists
> itself as a root server.  Named likes to complain in the log files about
> "sysquery: no addrs found for root NS ()".  If I leave out the
> named.cache from the named.conf, it fails to operate (SRVFAIL errors).
> If I use the named.cache from, all answers are
> non-authoritative.
> 3.  My firewall is actually not listed in the NIC as primary for our
> domain.  Our external primaries are co-located at our ISP.  So I set up
> the firewall named as a caching forwarder to the existing external name
> servers.  When the internal server is set up with a subdomain, rather
> than the same domain as the external hosts, this seems to work OK.  I
> have the firewall named set to log all queries, and it does get the
> queries from the internal server, and forwards to the external.  So I
> think this setup is functionally OK, but wanted to mention it in case it
> has relevance to my other questions.
> Any hints, tips, or URLs to a complete discussion with examples would be
> very much appreciated.
> _______________________________________________________
> UNIX TEAM - Because it tells me to.

Indexed By Date Previous: How can Cisco2511 support high speed(above 28.8)dailup network with Hayes Modem Pool?
From: Yang Xiaolong <yangxl @ cqupt . edu . cn>
Next: Re: Cisco Router Config
From: Randy Zhang <hzhang1 @ ucla . edu>
Indexed By Thread Previous: RE: Split DNS config questions
From: Michael Batchelor <Michael_Batchelor @ citysearch . com>
Next: Re[2]: Split DNS config questions
From: dmcewen @ nsf . gov

Search Internet Search