Re: Best practice MultiView

Thu, 20 Apr 2023 05:36:32 -0700 

On 19. 04. 23 23:01, Greg Choules via bind-users wrote:

Hi Jiaming.
Here's what I would do. I am assuming one nameserver for the public zone and one (different) nameserver for the internal zones. You would use more in practice but I'm keeping it simple, for illustration. 


The external NS is reachable from anywhere in the Internet. If you host 
it in your own network, ideally do it on a public DMZ. It hosts one 
zone; example.com <http://example.com>. The NS name is 
externalns.example.com <http://externalns.example.com>.



The internal NS is *not* reachable from anywhere in the Internet, only 
to internal hosts and probably on a private address (depends on your 
internal addressing scheme). It hosts three zones; internal1.example.com 
<http://internal1.example.com>, internal2.example.com 
<http://internal2.example.com>, internal3.example.com 
<http://internal3.example.com>. The name of the NS itself is 
internalns.internal1.example.com <http://internalns.internal1.example.com>



EXTERNAL NS
zone: example.com <http://example.com>
@ SOA
@ NS externalns
internal1 NS internalns.internal1
internal2 NS internalns.internal1
internal2 NS internalns.internal1
other records...


INTERNAL NS
zone internal1.example.com <http://internal1.example.com>
@ SOA
@ NS internalns
internalns A 192.168.1.1
other records....

zone internal2.example.com <http://internal2.example.com>
@ SOA

@ NS internalns.internal1.example.com 
<http://internalns.internal1.example.com>.

other records....

zone internal3.example.com <http://internal3.example.com>
@ SOA

@ NS internalns.internal1.example.com 
<http://internalns.internal1.example.com>.

other records....



 From an Internet source, the only NS that can be reached is 
externalns.example.com <http://externalns.example.com>. Queries could be 
made to it to learn that delegations exist for the internal zones and 
the name of the NS for those zones. However, they cannot resolve the IP 
address of internalns. Not that it would help anyway if it's 
192.168.something and/or your firewalls block incoming DNS.



It is not essential to have the delegations in externalns because 
internal clients do not use them anyway. However, it is recommend to 
have them because a) it is technically correct and b) it will be 
necessary for DNSSEC validation to work internally.


Let me add one thing:

Not having delegations is asking for problems _also_ because 
non-existence of a domain is/can be cached on several levels.



When a client moves from external to internal view it might still "not 
see" the internal domains because of the cache.


--
Petr Špaček
Internet Systems Consortium
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
























					Reply via email to