On 19. 04. 23 23:01, Greg Choules via bind-users wrote:
Hi Jiaming.
Here's what I would do. I am assuming one nameserver for the public zone
and one (different) nameserver for the internal zones. You would use
more in practice but I'm keeping it simple, for illustration.
The external NS is reachable from anywhere in the Internet. If you host
it in your own network, ideally do it on a public DMZ. It hosts one
zone; example.com <http://example.com>. The NS name is
externalns.example.com <http://externalns.example.com>.
The internal NS is *not* reachable from anywhere in the Internet, only
to internal hosts and probably on a private address (depends on your
internal addressing scheme). It hosts three zones; internal1.example.com
<http://internal1.example.com>, internal2.example.com
<http://internal2.example.com>, internal3.example.com
<http://internal3.example.com>. The name of the NS itself is
internalns.internal1.example.com <http://internalns.internal1.example.com>
EXTERNAL NS
zone: example.com <http://example.com>
@ SOA
@ NS externalns
internal1 NS internalns.internal1
internal2 NS internalns.internal1
internal2 NS internalns.internal1
other records...
INTERNAL NS
zone internal1.example.com <http://internal1.example.com>
@ SOA
@ NS internalns
internalns A 192.168.1.1
other records....
zone internal2.example.com <http://internal2.example.com>
@ SOA
@ NS internalns.internal1.example.com
<http://internalns.internal1.example.com>.
other records....
zone internal3.example.com <http://internal3.example.com>
@ SOA
@ NS internalns.internal1.example.com
<http://internalns.internal1.example.com>.
other records....
From an Internet source, the only NS that can be reached is
externalns.example.com <http://externalns.example.com>. Queries could be
made to it to learn that delegations exist for the internal zones and
the name of the NS for those zones. However, they cannot resolve the IP
address of internalns. Not that it would help anyway if it's
192.168.something and/or your firewalls block incoming DNS.
It is not essential to have the delegations in externalns because
internal clients do not use them anyway. However, it is recommend to
have them because a) it is technically correct and b) it will be
necessary for DNSSEC validation to work internally.
Let me add one thing:
Not having delegations is asking for problems _also_ because
non-existence of a domain is/can be cached on several levels.
When a client moves from external to internal view it might still "not
see" the internal domains because of the cache.
--
Petr Špaček
Internet Systems Consortium
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users