BIND problem

Mitch Anderson mitch at metauser.net
Fri Sep 23 22:08:42 MDT 2005


Michael Torrie wrote:
> On Fri, 2005-09-23 at 16:28 -0600, Andy Bradford wrote:
> Well like I said, our architecture disallows split-horizon since the DNS
> for the inside cannot be in the DMZ, where it would have to be to serve
> the outside.  BIND9 does fine at split-horizon if we needed that.
> 

For our DNS setup... I use a mix of split-horizon and a hidden master 
DNS server.  For security reasons I don't have the master name server 
visible externally(sits on its own network off the core network).  As an 
example, I have a name server (we'll call it ns.domain.com).  This is 
the master name server and also is a split-horizon name server, setup to 
allow all internal clients to see the "internal" view of my zones.  I 
have two external DNS servers(ns1 and ns2 .domain.com), that are setup 
as slaves for my external views of my zones in our DMZ.  I also have one 
other internal DNS server (in-ns3.domain.com) that is a slave for the 
internal zones.  It makes management of zone data a breeze because I 
only ever have to go to one server to make any updates or changes.  With 
the added security of no one externally allowed access to my master name 
server... any exploits to DNS will be overwritten in 8 - 12 hours 
depending on the TTL of the zone.  Regardless of me knowing about it or not.

This setup could be easily achieved with Bind9 or djbdns.

Mitch



More information about the PLUG mailing list