Great Circle Associates Firewalls
(June 1996)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: split-brain DNS
From: "Lack Mr G M" <gml4410 @ ggr . co . uk>
Date: Thu, 27 Jun 1996 09:58:17 +0100
To: chris @ lagoon . meo . dec . com (Chris Jankowski), Firewalls @ GreatCircle . COM
In-reply-to: chris @ lagoon . meo . dec . com (Chris Jankowski)
References: <9606272301 . AA12473 @ lagoon . meo . dec . com>

> Could somebody explain the problem in more deatil, please?
>
> >        The split-brain DNS is a problem when you have a domain and
> >        subdomains behind the firewall. The solution we know is to declare
> >        the DNS server of the parent domain as a secondary server for every
> >        existing subdomain. This solution is not really great since we can't
> >        resolve Internet names from a subdomain.
> >        We are currently using the 4.9.3-REV and testing the 4.9.4 of BIND
> >        but no improvement seems to be done...
>
> Why the subdomain primary DNS servers cannot forward all non-local queries
> to the domain DNS server which will resolve the queries for them?
> This of courese may include further forwarding in case of queries on Internet
> names.
>
> Where exactly is the problem?
> I must be missing somthing.

   Not sure that the problem described is the one I have, but there is no way
for this to work if you have multiple private domains (ie. not just
sub-domains).  You can get all of these to forward to an internal master, but
you can't get this master to forward the relevant queries back to the internal
domains (as you can't "prime" the cache with non-root servers).  So the
internal master asks the real root servers about your internal domains and
beleives that they do not exist.  The result is that you can't resolve one
internal domain from another.

   Now, even if you do have a single domain with sub-domains it is quite likley
that the *reverse lookup* domains are separate, so you have the problem then
anyway.

   I have had to use a modified version of 4.9.3B9 which, basically, does allow
me to prime the cache with internal name servers.

-- 
----------- Gordon Lack ----------------- gml4410 @
 ggr .
 co .
 uk  ------------
The contents of this message *may* reflect my personal opinion.  They are
*not* intended to reflect those of my employer, or anyone else.


References:
Indexed By Date Previous: [no subject]
From: dehtpnmk @ ibmmail . com
Next: How good is "stateful inspection"?
From: Bjorn Myhrhaug <bjornmy @ nwo . dec . com>
Indexed By Thread Previous: Re: split-brain DNS
From: chris @ lagoon . meo . dec . com (Chris Jankowski)
Next: RE: split-brain DNS
From: Dan Shadix <shadixdl @ gccs . cpf . navy . mil>

Google
 
Search Internet Search www.greatcircle.com