OT: split-dns

["Shaun T. Erickson" <ste@smxy.org>]

Nick Drage wrote:
> On Mon, Aug 30, 2004 at 03:23:58PM -0700, Daniel Chemko wrote:
> 
> 
>>>Not knowing what split-dns was, I googled it. If I understand it
>>>correctly it seems that this is only needed when you use a single,
>>>common domain for both internal and external systems. All our
>>>external systems (both between the firewall and the router, and in
>>>the DMZ) are in "domain.com" and all our internal systems are in
>>>"sub.domain.com", so we don't need split-dns, right?
> 
> 
> Probably a good idea anyway - you probably don't want external users
> using your DNS server in the same way that internal hosts do - i.e.
> making recursive lookups.  Also while it isn't much of an information
> leak, stopping Internet users looking up hosts in sub.domain.com won't
> do any harm.

My DNS here is a bit screwy, having inherited it from my predecessor, 
whom I only recently took over for. The outside name server handles our 
primary domain "y.net", only, so external people cannot look up internal 
hosts, but they can make recursive requests for information about our 
external systems. My internal name server handles our internal domain, 
"x.y.net", and a copy of our external domain, on a Windows box. Clients 
are pointed at the internal name server and the secondary nameserver our 
ISP runs for us.

Clearly, this all needs to be re-done, which I plan to do as soon as my 
shiny new server arrives, which I'll migrate all my services too, 
rebuilding them as I go.

> Also with the use of "view" this is pretty easy to do with BIND 9.  If
> you don't have a copy of "DNS and BIND" 

I do - excellent book.

	-ste