Some folks did this on the theory that (a) getting the DNS entry for an
internal box was not a big deal and (b) it avoided the unfailing dns
lookup failures that occur as multiple DNS databases get out of sync.
Nowadays folks tend to have outside dns servers in various subdomains
(e.g. for each of the suspect subnets (aka dmz's)), for the "visible to
the internet" sacrificial hosts like mail and external web servers.
In summary, you made a reasonable decision applicable to a few years ago
that may need to be revisited as your company's internet present and
vulnerability has grown.
How's that for a justification? (and I only had two glasses of wine with
an excellent dinner at the Solano (California) Bar and Grill ;{)
David Lang wrote:
>
> When I setup my current DNS ~2 years ago I set it up with both the
> "primary" and "secondary" DNS machines (as far as the internic was
> concerned) really acting as secondaries from an internal primary. I am
> currently be asked to defend my aratecture and cannot remember where I got
> the idea to do this. (the basic idea being that if someone corrupts what
> they think is my primary machine it gets cleared with the next update,
> rather then propogating the problem to the secondary) Can anyone give me
> comments on if this is still a good idea?
>
> One of the problems is that in order to update from the primary the
> secondary machines have to talk to the inside of my network to reach the
> real primary.
>
> David Lang
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
--
Daemeon Reiydelle
Systems Engineer, Anthropomorphics Inc.
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
