Can I use views to separate my recursive name server and authoritative name servers?
> We have the need to have forwarders due
to a large number of non-RFC1918
> conforming IP addresses that are going away
but not quickly enough. That
> aside, and probably another question all
together, we have the following
> general setup. We have multiple internal
name servers that
> forward queries to DNS servers that sit in
the external space. These external
> servers also act as external name servers
for a number of our domains.
>
> I understand that it is advisable to have
separate DNS servers for your
> external primaries and for recursive internals
for both performance and
> security reasons. Are views an adequate mechanism
to provide this
> separation or would it be suggested to have
other BIND servers doing this?
Views should work fine for this application.
You'll want to have at
least two views, one that your internal name servers
that forward
queries to your external name servers are in,
which allows recursive
queries. The other view would apply to all other
queriers and not
permit recursive queries. You should also make
sure you have strong
anti-spoofing rules in place on your external
routers or firewall,
since you'll be determining whether or not to
do recursion according
to source IP address.
> On a side note, I am happy to hear that
you are teaching the DNS courses
> again. I think I went to one of the last
ones before Acme Byte & Wire was
> bought. The other admins here wanted to go
to one of your courses and now
> they will have the chance again.
Thanks, Kurt! I'll look forward to seeing some
Gateway folks at a
future class!
cricket
Men & Mice
Market leaders in the world of DNS, DHCP and IP Address Management, serving thousands of customers.
Contact information