In message <199310131918 .
COM>, Alastair Young writes:
>>I am looking into configuring DNS in a firewalled environment, which looks
>> | |
>> internal network ------| Firewall |------ the Internet
>> | |
>> [stuff deleted]
>>As far as I understand (from the Name Server Operations Guide for BIND, and
>>from the O'Reilly book on 'DNS and BIND') I can use the 'forwarders' and
>>'slave' directives to do this. It remains however unclear which internal DNS
>>servers will need one/both of these directives. Is it only the internal root
>>servers that need these directives? Or must all internal DNS servers have
>>them? Can somebody please shed some light on this?
Set up your internal root servers with a primary directive, and your
secondaries with a secondary directive, then load the root cache
(named.ca) file with the NS and A records for the dns server on the
; @(#)root.cache 1.1 (Berkeley) 86/01/21
; Initial cache data for root domain servers.
. 999999 IN NS firewall.my.org.
; Prep the cache (hotwire the addresses). Order does not matter
firewall.my.org. 999999 IN A 188.8.131.52
Don't forget to set the resolv.conf on the firewall to point to the
INTERNAL dns servers. That way as far as your internal servers know
the gateway is a root nameserver. If you don't do this, you may get
the infamous "no root nameservers for level n found" (n elem 1, 2,
3,4) message from older named implementations (e.g. suns).
> As I read it, ALL internal DNS servers must be configured as slaves,
> otherwise they will try and contact the external servers directly.
You shouldn't use slave for your internal root servers at all,
otherwise they will never offer info about your internal hosts. As far
as I know, primary, secondary and slave are mutually exclusive.
> I wasn't aware of this before, it sounds like something worth trying. The
> less holes I have in my wall the happier I feel.
> The only drawback I can see is that "nslookup" users will not be
> able to set server to an outside server, but I can't see any serious
> reason for doing that anyways.
True, but this isn't a big problem usually. Besides if the DNS is down
as systems administrator you can log onto the firewall to do the
Special Projects Volunteer University of Massachusetts at Boston
edu (preferred) Boston, MA, (617) 287-6480
Consulting Systems Programmer Bose
com Framingham, MA (508) 879-1916 x6483
My employers don't acknowledge my existence much less my opinions.