Greetings
A customer have a security policy based on a zoned network model which
deny DNS servers in the internal network zone to communicate directly
with DNS servers outside the internal network zone. Only exception is
the defined central DNS servers.
In the internal network zone we have internal MS DNS servers which
host the AD DNS zone, and also have a general forwarding to the
internal BIND DNS.
The internal BIND DNS servers host a few zones, and have a general
forwarding (forward only;) to the central BIND DNS servers.
The central BIND DNS servers are allowed to communicate with any DNS server.
My main goal is to prevent the internal MS DNS server from trying to
communicate with DNS servers outside the internal network zone
following delegations. Such communication will be dropped in
firewalls. Instead I want the internal MS DNS server to follow the
generic DNS forwarding configured. In my test-lab I have implemented
the following on the internal BIND DNS with promising results:
...
options {
...
minimal-responses yes;
forward only;
forwarders { <central BIND DNS>; };
...
};
...
Do you see (or have you experienced) problems with such a configuration?
Regards
Sven Emil
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
