Greetings A customer have a security policy based on a zoned network model which deny DNS servers in the internal network zone to communicate directly with DNS servers outside the internal network zone. Only exception is the defined central DNS servers.
In the internal network zone we have internal MS DNS servers which host the AD DNS zone, and also have a general forwarding to the internal BIND DNS. The internal BIND DNS servers host a few zones, and have a general forwarding (forward only;) to the central BIND DNS servers. The central BIND DNS servers are allowed to communicate with any DNS server. My main goal is to prevent the internal MS DNS server from trying to communicate with DNS servers outside the internal network zone following delegations. Such communication will be dropped in firewalls. Instead I want the internal MS DNS server to follow the generic DNS forwarding configured. In my test-lab I have implemented the following on the internal BIND DNS with promising results: ... options { ... minimal-responses yes; forward only; forwarders { <central BIND DNS>; }; ... }; ... Do you see (or have you experienced) problems with such a configuration? Regards Sven Emil _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users