Bob,
Check out the 'noforward' patches available in the 'contrib'
subdirectory
of the BIND distribution server:
ftp://ftp.vix.com/pub/bind/release/4.9.4/contrib/
They will help you overcome the 'all or nothing' behavior of standard
BIND forwarding.
It works nicely for us with several internal domains spread over the
globe
and several firewalls to the 'net.
Cheers,
Todd
Bob Gammage wrote:
>
> Now we are implementing tighter security. This involves a
> FireWall that will not pass DNS-Queries and the vendor's
> suggestion is to implement forwarding on all our existing NS's.
> I have been tasked to do this with minimal additional hardware
> and minimal impact to our users.
>
> ...
>
> Unfortunately, forwarding appears to be an all-or-nothing
> proposition. So even if I create an internal-root NS (for
> the PARENT domain I assume) and replace the root cache on
> every other NS we have, I'm still unclear on how to gracefully
> choke queries of external NS's down to a single source
> internally.
|
|
