At 16:59 31/12/1996 -0500, R. McMahon wrote:
>Background:
>I am looking at setting up a DNS proxy using "forwarders" and "slave"
>lines in by /etc/named.boot file as described in the "Building
>Firewalls" and "DNS and BIND" books by O'Reilly. However, I want to do
>this where I can maintain an internal Root name server. For resolution
>of domain names outside the internal top-level domains, I would like the
>proxy name server (which will have an "external" domain name) be the
>only name server queried by the internal root name server and having
>this proxy be the only host to query external name servers. (I would
>set up UDP port 53 filtering on the router.)
>
>Problem:
>One problem I thought of concerns the mitigation between the internal
>root name server and the forwarders/slave lines. If a subordinate
>domain name server queries the root name server for an "outside" domain,
>how would it know to forward the query to the proxy (being that it is a
>internal root name server)? I could have my subordinate top-level
>domain name serves query the proxy directly by putting forwarders line
>in it's /etc/named.boot, however, this would bypass the internal root
>structure. It seems to be straight forward w/o an internal root name
>server, however, I need to maintain these root name server. Can anyone
>help.
>
>Thanks,
>
>rwm
>
The problem with an internal root server is that it wont take any account
of your forwarders & slave options because it is said to be a root server.
The only solution I think of is adding the noforward patch in the named
daemons of the first level name servers you have under your root server.
You just have to specify all the domains known by your internal root
nameserver
so that your lower level nameserver would query it but would forward to your
proxy for everything else.
Hope this helps
Jean-Francois
PS: the noforward patch is available for BIND on ftp.vix.com (but I can't
remember the path...)
|
|
