DNS Question
Nathaniel Hall
halln at otc.edu
Fri Dec 17 22:34:01 UTC 2004
That is what I thought. This is a want from my boss, but not something
that has to happen now. I appreciate everyones help.
Nathaniel Hall, GSEC
Intrusion Detection and Firewall Technician
Ozarks Technical Community College -- Office of Computer Networking
halln at otc.edu
417-447-7535
Bill Gradwohl wrote:
> Nathaniel Hall wrote:
>
>> Our DNS resolves domain.com. I have system1.domain.com correctly
>> resolving using the DMZ DNS.
>> The ISP DNS also resolves system1.domain.com for users outside the
>> firewalls. In addition to system1, system2.domain.com resolves on
>> the ISP DNS from the outside.
>>
>> If I am on the inside and try to resolve system2.domain.com, it
>> doesn't get resolved because it is not setup in the DMZ DNS. I want
>> to be able to resolve system2.domain.com by passing the query from
>> the DMZ DNS to the ISP DNS.
>>
> When you set up DNS, you declare that it is authoritative for the
> domain. That's the basis premise. Then when you ask it to resolve
> something associated with the domain, it knows its authoritative for
> the domain and therefore doesn't have to ask anyone else for anything.
> It is THE authoritative reference. That's the problem you face. You
> have declared on the one hand that your DNS server is authoritative,
> and then on the other hand you say it isn't authoritative. You can't
> have it both ways to the best of my knowledge.
>
> Maybe what you should do is what we do. Internally, we run a bogus
> domain to resolve internal boxes - private.ycc . Then when we ask for
> www.ycc.com (our public real domain is ycc.com) our internal DNS knows
> its not authoritative for that domain and asks the DNS servers we have
> at our ISP that are authoritative for the ycc.com domain to resolve
> the addresses. All our internal boxes are told they are part of the
> "private.ycc" domain and therefore there are no conflicts.
>
> You may also want to look into split horizon DNS where depending on
> who is asking for name resolution the dns server gives out different
> answers, usually either a private or public IP address. Bind 9 has it,
> but its messy to set up. DJBDNS is easier to set up but doesn't have
> very many followers. The different "zone" files don't have to have
> identical named elements, so maybe that can solve your problem as well.
>
More information about the fedora-list
mailing list