In message <32CC5118 .
5FB8 @
csc .
com>, Adam Safier writes:
>I'm missing something in this DNS discussion. Don't make the internal
>"root" a root, make it your "main" DNS server with a limited cache
>file. You set the "main" internal DNS server to act as a recursive
>resolver for all internal DNS servers.
Here's the problem: BIND does forwarder lookups before doing cache lookups.
Therefore, unless the "main" internal DNS server is also a secondary for ALL
internal zones, the internal zones will be sent to the external resolver for
resolution.
With some firewalls, the external resolver be configured as a 'hidden'
secondary of the internal top level domain and thus provide recursive
resolution. However, that exposes the internal domain to the Internet (albeit
only to a knowledgeable invader) and may not be appropriate for some
companies.
In addition, with firewalls that provide automatic split DNS services, that
option may not be available since they would not make the internal network
accessible from the external firewall.
We are looking at a solution similar to the one posted earlier where the
order of resolution is changed in the BIND code: instead of resolution being
performed in the order
1) authoritative,
2) forwarded and
3) cached,
we believe that it may be useful to perform it in the order
1) authoritative,
2) cached, and
3) forwarded
in the case of firewalled environments.
David Smith
--
//==========================================================\\
||David T. Smith | Specialists in ||
||Tucker Network Technologies | Network Computing ||
||50 Washington St., PO 429 | -------------------- ||
||South Norwalk, CT 06856 | dsmith @
tuckernet .
com ||
\\=========================================================//
Follow-Ups:
References:
|
|
