Dan,
Yes, this approach is often referred to as "split brain" DNS since the
inside DNS server doesn't know what info the outside DNS has and vice
versa. You can find excellent coverage of this topic and all things DNS
in "DNS and BIND" from O'Reilly.
HTH,
Kent
Dan Simoes wrote:
>
> > I have to agree with Peter (who also responded to this), you should be
> > using a "split brain" DNS. One for your inside devices and one for your
> > outside devices. If you use a DNS on the outside only, it can be
> > queried and reveal information about your internal IP addressing
> > structure that would better be kept secret. Most organizations use this
> > approach.
>
> Is there a FAQ on doing this? I'm in the same boat.
> At the moment, I am using a DNS on the DMZ network, answering
> illegal queries, and pointing all other queries to an external
> server. I'd like to move primary DNS back on site, and I'm assuming
> I need two boxes - one of the DMZ for zone transfers and
> "official" replies, one on the private network for illegals (192.168.X)
>
> Is this the best way?
>
> | Dan |
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
