mitch at metauser.net
Fri Sep 23 22:08:42 MDT 2005
Michael Torrie wrote:
> On Fri, 2005-09-23 at 16:28 -0600, Andy Bradford wrote:
> Well like I said, our architecture disallows split-horizon since the DNS
> for the inside cannot be in the DMZ, where it would have to be to serve
> the outside. BIND9 does fine at split-horizon if we needed that.
For our DNS setup... I use a mix of split-horizon and a hidden master
DNS server. For security reasons I don't have the master name server
visible externally(sits on its own network off the core network). As an
example, I have a name server (we'll call it ns.domain.com). This is
the master name server and also is a split-horizon name server, setup to
allow all internal clients to see the "internal" view of my zones. I
have two external DNS servers(ns1 and ns2 .domain.com), that are setup
as slaves for my external views of my zones in our DMZ. I also have one
other internal DNS server (in-ns3.domain.com) that is a slave for the
internal zones. It makes management of zone data a breeze because I
only ever have to go to one server to make any updates or changes. With
the added security of no one externally allowed access to my master name
server... any exploits to DNS will be overwritten in 8 - 12 hours
depending on the TTL of the zone. Regardless of me knowing about it or not.
This setup could be easily achieved with Bind9 or djbdns.
More information about the PLUG