>>Problem:
>>One problem I thought of concerns the mitigation between the internal
>>root name server and the forwarders/slave lines. If a subordinate
>>domain name server queries the root name server for an "outside"
domain,
>>how would it know to forward the query to the proxy (being that it is a
>>internal root name server)? I could have my subordinate top-level
>>domain name serves query the proxy directly by putting forwarders line
>>in it's /etc/named.boot, however, this would bypass the internal root
>>structure. It seems to be straight forward w/o an internal root name
>>server, however, I need to maintain these root name server. Can anyone
>>help.
>The problem with an internal root server is that it wont take any
account
>of your forwarders & slave options because it is said to be a root
server.
>The only solution I think of is adding the noforward patch in the named
>daemons of the first level name servers you have under your root server.
>You just have to specify all the domains known by your internal root
>nameserver
>so that your lower level nameserver would query it but would forward to
your
>proxy for everything else.
The solution to both of these issues is to have a host running as you're
internal *root* nameserver, and NOTHING else. The root only needs to
have references to hosts that are authoritative for the domain(s), they
do not need to be, or should be, nameservers for a domain. This way
you're internal servers will believe that they are authoritative for the
domain, but still forward unresolvable queries to the *forwarders* host.
The forwarders host should be the *firewall* running as a primary,
secondary, or caching server (if you're upstream provider is
authoritative for you're zone) with a true root.db to resolve external
hosts.
This works quite well, as I have been doing it for almost a year without
problems.
Rick
________________________________________________
Rick Hicks
Systems Specialist
Hussmann Corporation
rhicks @
hussmann .
com
http://www.hussmann.com
|
|
