I'm thinking about redesigning an internal DNS environment. To begin
with, all internal DNS zones would reside on non-recursive servers
only.
why?
On 15.10.22 12:03, Bob McDonald wrote:
My understanding has always been that the recommendation is/was to
separate recursive and non-recursive servers. Now I understand I'm
talking about an INTERNAL environment and the rules have over the
years become somewhat lax... In this case I also believe this would
provide a more granular approach to using security features such as
tsig keys to control updates.
This is a common misconception.
Yes, it's a good idea to separate recursive servers accessed/used by your
clients from authoritative servers accessed/used by whole internet.
But this does NOT mean that internal/recursive servers must not, nor should
not containt your internal zones, nor it means you should put your internal
zones to your publicly accessible authoritative servers.
If you have own zones for your own usage, exactly the same way you have
recursive servers, it makes rarely sense to put them to other servers than
your internal/recursive servers, just put internal zones to internal servers.
If you are an ISP/registry/DNS provider, it makes sense to separate
authoritative zones for your clients' domains, for all those cases your
client move their domains somewhere else without notifying you (hell, they
do that too often), or to be able to prepare moving domains to your servers.
The question is this; do I use an internal root with pointers to the
internal zones (as well as the outside DNS world) or do I include stub
zones to point at the non-recursive internal servers?
stub zones, forward zones (forward with recursion bit set) or static-stub
zones (send iterative queries to configured servers)>
Again, my understanding is that forwarding would require recursion.
Thanks for the info about stub zones etc.
forward zones - named sends recursive query to the primary servers
stub zones - named fetches NS records from primary servers and uses them for
resolution
static-stub zones - named forwards iterative (non-recursive) requests to
primary servers
clients accessing any of these zones must have recursion allowed and
recursion must be enabled in BIND.
Access to the internal DNS zones would be controlled by location.
if you have recursive servers in internal network, you don't need control
access on auth-only servers
If a non-secure client (read the next sentence...) accesses the same
recursive server as a regular client, it will have access to the
internal zones by default.. Therefore we need to have some sort of
access controls in place.
and THIS is exactly the reason you SHOULD put your internal zones on your
internal server.
Please forgive me if my post was confusing, arrogant, or naive.
neither one.
I'm simply trying to seek the wisdom of those on the list that have more
experience or different experience than myself. Hopefully, I can gain from
that wisdom and we can provide a kind environment where those less educated
feel mentored.
that's why we are here.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
