Re: DNS Question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



That is what I thought. This is a want from my boss, but not something that has to happen now. I appreciate everyones help.

Nathaniel Hall, GSEC
Intrusion Detection and Firewall Technician
Ozarks Technical Community College -- Office of Computer Networking

halln@xxxxxxx
417-447-7535



Bill Gradwohl wrote:

Nathaniel Hall wrote:

Our DNS resolves domain.com. I have system1.domain.com correctly resolving using the DMZ DNS.
The ISP DNS also resolves system1.domain.com for users outside the firewalls. In addition to system1, system2.domain.com resolves on the ISP DNS from the outside.


If I am on the inside and try to resolve system2.domain.com, it doesn't get resolved because it is not setup in the DMZ DNS. I want to be able to resolve system2.domain.com by passing the query from the DMZ DNS to the ISP DNS.

When you set up DNS, you declare that it is authoritative for the domain. That's the basis premise. Then when you ask it to resolve something associated with the domain, it knows its authoritative for the domain and therefore doesn't have to ask anyone else for anything. It is THE authoritative reference. That's the problem you face. You have declared on the one hand that your DNS server is authoritative, and then on the other hand you say it isn't authoritative. You can't have it both ways to the best of my knowledge.

Maybe what you should do is what we do. Internally, we run a bogus domain to resolve internal boxes - private.ycc . Then when we ask for www.ycc.com (our public real domain is ycc.com) our internal DNS knows its not authoritative for that domain and asks the DNS servers we have at our ISP that are authoritative for the ycc.com domain to resolve the addresses. All our internal boxes are told they are part of the "private.ycc" domain and therefore there are no conflicts.

You may also want to look into split horizon DNS where depending on who is asking for name resolution the dns server gives out different answers, usually either a private or public IP address. Bind 9 has it, but its messy to set up. DJBDNS is easier to set up but doesn't have very many followers. The different "zone" files don't have to have identical named elements, so maybe that can solve your problem as well.



[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux