On 19. 04. 23 23:01, Greg Choules via bind-users wrote:
Hi Jiaming.
Here's what I would do. I am assuming one nameserver for the public zone and one (different) nameserver for the internal zones. You would use more in practice but I'm keeping it simple, for illustration.

The external NS is reachable from anywhere in the Internet. If you host it in your own network, ideally do it on a public DMZ. It hosts one zone; example.com <http://example.com>. The NS name is externalns.example.com <http://externalns.example.com>.

The internal NS is *not* reachable from anywhere in the Internet, only to internal hosts and probably on a private address (depends on your internal addressing scheme). It hosts three zones; internal1.example.com <http://internal1.example.com>, internal2.example.com <http://internal2.example.com>, internal3.example.com <http://internal3.example.com>. The name of the NS itself is internalns.internal1.example.com <http://internalns.internal1.example.com>

zone: example.com <http://example.com>
@ NS externalns
internal1 NS internalns.internal1
internal2 NS internalns.internal1
internal2 NS internalns.internal1
other records...

zone internal1.example.com <http://internal1.example.com>
@ NS internalns
internalns A
other records....

zone internal2.example.com <http://internal2.example.com>
@ NS internalns.internal1.example.com <http://internalns.internal1.example.com>.
other records....

zone internal3.example.com <http://internal3.example.com>
@ NS internalns.internal1.example.com <http://internalns.internal1.example.com>.
other records....

From an Internet source, the only NS that can be reached is externalns.example.com <http://externalns.example.com>. Queries could be made to it to learn that delegations exist for the internal zones and the name of the NS for those zones. However, they cannot resolve the IP address of internalns. Not that it would help anyway if it's 192.168.something and/or your firewalls block incoming DNS.

It is not essential to have the delegations in externalns because internal clients do not use them anyway. However, it is recommend to have them because a) it is technically correct and b) it will be necessary for DNSSEC validation to work internally.

Let me add one thing:
Not having delegations is asking for problems _also_ because non-existence of a domain is/can be cached on several levels.

When a client moves from external to internal view it might still "not see" the internal domains because of the cache.

Petr Špaček
Internet Systems Consortium
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list

Reply via email to