On 1/3/22 12:15 AM, Borja Marcos wrote:
If you separate the roles it is much simpler to implement an
effective access control.
On 03.01.22 10:35, Grant Taylor via bind-users wrote:
The problem I have with separating recursive and authoritative servers
has to do with internal LANs and things like Microsoft Active
Directory on non-globally-recognized domains.
In short, how do you get a /purely/ /recursive/ server to know that
internal-corp-lan.example (or any domain not in the global DNS
hierarchy) is served by some other /purely/ /authoritative/ DNS server
inside the company?
you configure your recursive server with internal-corp-lan.example as type
forward or static-stub pointing to your authoritative server.
however, the "purely recursive" and "purely authoritative" split is not
designed to cover domains like "internal-corp-lan.example"
but "example.com" that has to be seen from the world clients.
I feel like anything you do to the /purely/ /recursive/ DNS server to
get it to know that it needs to route based on the DNS domain
information slides away from the /purely/ /recursive/ role to somewhat
/mixed/ /recursive/ & /authoritative/ role.
This is to prevent recursive servers from providing domains to the public.
in these cases I recommend setup purely authoritative servers for
"example.com" to be accessible from the internet and "purely recursive"
server accessible from your LAN, even if it would fetch "example.com" domain
from your public authoritative servers.
Just don't point NS record for "example.com" to this server as it's designes
as internal recursive server.
This niche role is the one nagging thing that I have that prevents me
from supporting and proselytizing the role separation anywhere and
everywhere. -- I've been looking for, but have not yet found, what I
consider to be a good method that maintains strict separation of roles
in this niche use case.
Note: I'm completely on board with the separate roles for public /
Internet facing servers.
then, you should understand the need for separation of roles well.
just the "recursive only" and "authoritative only" have a bit different
meaning I tried to explain above.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users