Great Circle Associates Firewalls
(June 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: RE: split-brain DNS
From: Dan Shadix <shadixdl @ gccs . cpf . navy . mil>
Date: Thu, 27 Jun 1996 19:04:43 -1000
To: "'Lack Mr G M'" <gml4410 @ ggr . co . uk>
Cc: "'Firewalls @ GreatCircle . COM'" <Firewalls @ GreatCircle . COM> 
Why can't you make the one master DNS server secondary for all your internal sub-domains?  Then if a request is for a domain for which it is authoritative, it will just respond, if not then it will go to the Internet at large.

DP1 Dan Shadix
ISSO, GCCS Support Facility


----------
From:  Lack Mr G M[SMTP:gml4410 @
 ggr .
 co .
 uk]
Sent:  Wednesday, June 26, 1996 10:58 PM
To:  Chris Jankowski; Firewalls @
 GreatCircle .
 COM
Subject:  Re: split-brain DNS

> Could somebody explain the problem in more deatil, please?
>
> >        The split-brain DNS is a problem when you have a domain and
> >        subdomains behind the firewall. The solution we know is to declare
> >        the DNS server of the parent domain as a secondary server for every
> >        existing subdomain. This solution is not really great since we can't
> >        resolve Internet names from a subdomain.
> >        We are currently using the 4.9.3-REV and testing the 4.9.4 of BIND
> >        but no improvement seems to be done...
>
> Why the subdomain primary DNS servers cannot forward all non-local queries
> to the domain DNS server which will resolve the queries for them?
> This of courese may include further forwarding in case of queries on Internet
> names.
>
> Where exactly is the problem?
> I must be missing somthing.

   Not sure that the problem described is the one I have, but there is no way
for this to work if you have multiple private domains (ie. not just
sub-domains).  You can get all of these to forward to an internal master, but
you can't get this master to forward the relevant queries back to the internal
domains (as you can't "prime" the cache with non-root servers).  So the
internal master asks the real root servers about your internal domains and
beleives that they do not exist.  The result is that you can't resolve one
internal domain from another.

   Now, even if you do have a single domain with sub-domains it is quite likley
that the *reverse lookup* domains are separate, so you have the problem then
anyway.

   I have had to use a modified version of 4.9.3B9 which, basically, does allow
me to prime the cache with internal name servers.

-- 
----------- Gordon Lack ----------------- gml4410 @
 ggr .
 co .
 uk  ------------
The contents of this message *may* reflect my personal opinion.  They are
*not* intended to reflect those of my employer, or anyone else.
Indexed By Date Previous: RE:
From: "Rodney R. Fournier" <rodf @ cris . com>
Next: unsubscribe
From: Peter Huesser <huesser @ physik . unizh . ch>
Indexed By Thread Previous: Re: split-brain DNS
From: "Lack Mr G M" <gml4410 @ ggr . co . uk>
Next: Secure Telnet to External Sites.
From: Anthony . Passaniti @ entex . com
Google
 
Search Internet Search www.greatcircle.com