I'm missing something in this DNS discussion. Don't make the internal
"root" a root, make it your "main" DNS server with a limited cache
file. You set the "main" internal DNS server to act as a recursive
resolver for all internal DNS servers. Point it only to the external DNS
server which can also act as a recursive resolver. All internal DNS
servers point to the internal "main" server only using fowarder/slave
lines. External queries are recursively resolved by your "main" DNS
server which can pass through the firewall and has forwarder/slave lines
pointing to the external DNS server. The answers are received by the
external server, forwarded to the "main" server and then forwarded to
internal slave DNS servers or actual workstations. There is no need for
the other internal DNS servers to see your proxy or external DNS server.
Internet---DNS external recursive resolver----FW----DNS main recursive
resolver
|
Other DNS servers only point to
DNS main and use recursive queries.
(P31, 143 in O'Reilly)
Adam
JF wrote:
> Date: Thu, 02 Jan 1997 09:03:03 +0100
> From: Jean-Francois ZWOBADA <zwobada @
apogee-com .
fr>
> Subject: Re: DNS Proxy and Internal Root Name Server
>
> At 16:59 31/12/1996 -0500, R. McMahon wrote:
> >Background:
> >I am looking at setting up a DNS proxy using "forwarders" and "slave"
> >lines in by /etc/named.boot file as described in the "Building
> >Firewalls" and "DNS and BIND" books by O'Reilly. However, I want to do
> >this where I can maintain an internal Root name server. For resolution
> >of domain names outside the internal top-level domains, I would like the
> >proxy name server (which will have an "external" domain name) be the
> >only name server queried by the internal root name server and having
> >this proxy be the only host to query external name servers. (I would
> >set up UDP port 53 filtering on the router.)
> >
> >Problem:
> >One problem I thought of concerns the mitigation between the internal
> >root name server and the forwarders/slave lines. If a subordinate
> >domain name server queries the root name server for an "outside" domain,
> >how would it know to forward the query to the proxy (being that it is a
> >internal root name server)? I could have my subordinate top-level
> >domain name serves query the proxy directly by putting forwarders line
> >in it's /etc/named.boot, however, this would bypass the internal root
> >structure. It seems to be straight forward w/o an internal root name
> >server, however, I need to maintain these root name server. Can anyone
> >help.
> >
> >Thanks,
> >
> >rwm
> >
> The problem with an internal root server is that it wont take any account
> of your forwarders & slave options because it is said to be a root server.
> The only solution I think of is adding the noforward patch in the named
> daemons of the first level name servers you have under your root server.
> You just have to specify all the domains known by your internal root
> nameserver
> so that your lower level nameserver would query it but would forward to your
> proxy for everything else.
>
> Hope this helps
>
> Jean-Francois
>
> PS: the noforward patch is available for BIND on ftp.vix.com (but I can't
> remember the path...)
--
Adam Safier asafier @
csc .
com http://www.csc.com
CSC-SED-Infosec (301) 794-1349 (301) 552-3272 (fax)
Technology Abuse: 1) Netscape Frames on a 14" screen.
2) Netscape 3.0 on a 386-33 w/ 8 Meg RAM.
The above are my own opinions.
I'm proud to live in a country where I'm free to express them!
Follow-Ups:
|
|
