DNS Question

Nathaniel Hall halln at otc.edu
Fri Dec 17 22:34:01 UTC 2004 

That is what I thought.  This is a want from my boss, but not something 
that has to happen now.  I appreciate everyones help.

Nathaniel Hall, GSEC
Intrusion Detection and Firewall Technician
Ozarks Technical Community College -- Office of Computer Networking

halln at otc.edu
417-447-7535



Bill Gradwohl wrote:

> Nathaniel Hall wrote:
>
>> Our DNS resolves domain.com.  I have system1.domain.com correctly 
>> resolving using the DMZ DNS.
>> The ISP DNS also resolves system1.domain.com for users outside the 
>> firewalls.  In addition to system1, system2.domain.com resolves on 
>> the ISP DNS from the outside.
>>
>> If I am on the inside and try to resolve system2.domain.com, it 
>> doesn't get resolved because it is not setup in the DMZ DNS.  I want 
>> to be able to resolve system2.domain.com by passing the query from 
>> the DMZ DNS to the ISP DNS.
>>
> When you set up DNS, you declare that it is authoritative for the 
> domain. That's the basis premise. Then when you ask it to resolve 
> something associated with the domain, it knows its authoritative for 
> the domain and therefore doesn't have to ask anyone else for anything. 
> It is THE authoritative reference. That's the problem you face. You 
> have declared on the one hand that your DNS server is authoritative, 
> and then on the other hand you say it isn't authoritative. You can't 
> have it both ways to the best of my knowledge.
>
> Maybe what you should do is what we do. Internally, we run a bogus 
> domain to resolve internal boxes - private.ycc . Then when we ask for 
> www.ycc.com (our public real domain is ycc.com) our internal DNS knows 
> its not authoritative for that domain and asks the DNS servers we have 
> at our ISP that are authoritative for the ycc.com domain to resolve 
> the addresses. All our internal boxes are told they are part of the 
> "private.ycc" domain and therefore there are no conflicts.
>
> You may also want to look into split horizon DNS where depending on 
> who is asking for name resolution the dns server gives out different 
> answers, usually either a private or public IP address. Bind 9 has it, 
> but its messy to set up. DJBDNS is easier to set up but doesn't have 
> very many followers. The different "zone" files don't have to have 
> identical named elements, so maybe that can solve your problem as well.
>

More information about the fedora-list mailing list