First, the best reference for this subject is
Building Internet Firewalls, Chapman & Zwicky
DNS and Bind 2ND EDITION!! Albitz & Liu
Both from O'Reilly & Associates, Inc.
The Two together provide a good write up on the interactions of DNS
Firewalls and DMZ configurations
The entire purpose of 'Split' DNS is to set up a Private DNS
infrastructure to resolve your internal Private Address, and your
Public Address their allowed to Talk to. Meanwhile, your Official
Public DNS Server Contains your Public address, and resolves Internet
connections. Since the Public Server does not know your internal Address,
the 'Split' DNS configuration 'hides' the internal addresses from public
view. By the way... they both use 'Your Domain' but they are duplicate
For Complete isolation, not only do you need your Private Primay and
Secondary DNS Servers, you also need a Private root Server granting your
Private Primary Authoritative for the domain.
Personal Opinions Provided by
aka leonard @
Gemini Computers Inc.
On Tue, 31 Mar 1998, Michael Batchelor wrote:
> I am having some trouble understanding how split DNS is supposed to
> work. I am using BIND 8.1.1 on Irix 6.2. I have looked up some info on
> the web about split DNS (fwtk FAQ, for instance, has a short tutorial),
> and have gone over the discussion in the Cheswick/Bellovin firewalls
> book, but still have some unresolved questions:
> 1. If I want to use the same domain for internal and external, how does
> the internal DNS server know when to forward to the firewall? I set up
> the internal name server as primary for company.com, but www.company.com
> is an external host. The internal server doesn't want to forward
> queries for www.company.com to the firewall. It returns NXDOMAIN for
> all outside hosts in the same domain, if the internal server doesn't
> have a record. Must I set up a different internal domain for inside
> DNS? That works, by the way, but I was under the impression that split
> DNS worked with the same domain inside and outside. It's really
> inconvenient for me to have to make internal.company.com or whatever.
> 2. I prepared a named.cache file for the internal DNS server that lists
> itself as a root server. Named likes to complain in the log files about
> "sysquery: no addrs found for root NS ()". If I leave out the
> named.cache from the named.conf, it fails to operate (SRVFAIL errors).
> If I use the named.cache from rs.internic.net, all answers are
> 3. My firewall is actually not listed in the NIC as primary for our
> domain. Our external primaries are co-located at our ISP. So I set up
> the firewall named as a caching forwarder to the existing external name
> servers. When the internal server is set up with a subdomain, rather
> than the same domain as the external hosts, this seems to work OK. I
> have the firewall named set to log all queries, and it does get the
> queries from the internal server, and forwards to the external. So I
> think this setup is functionally OK, but wanted to mention it in case it
> has relevance to my other questions.
> Any hints, tips, or URLs to a complete discussion with examples would be
> very much appreciated.
> UNIX TEAM - Because it tells me to.