Michael Torrie wrote:
On Fri, 2005-09-23 at 16:28 -0600, Andy Bradford wrote: Well like I said, our architecture disallows split-horizon since the DNS for the inside cannot be in the DMZ, where it would have to be to serve the outside. BIND9 does fine at split-horizon if we needed that.
For our DNS setup... I use a mix of split-horizon and a hidden master DNS server. For security reasons I don't have the master name server visible externally(sits on its own network off the core network). As an example, I have a name server (we'll call it ns.domain.com). This is the master name server and also is a split-horizon name server, setup to allow all internal clients to see the "internal" view of my zones. I have two external DNS servers(ns1 and ns2 .domain.com), that are setup as slaves for my external views of my zones in our DMZ. I also have one other internal DNS server (in-ns3.domain.com) that is a slave for the internal zones. It makes management of zone data a breeze because I only ever have to go to one server to make any updates or changes. With the added security of no one externally allowed access to my master name server... any exploits to DNS will be overwritten in 8 - 12 hours depending on the TTL of the zone. Regardless of me knowing about it or not.
This setup could be easily achieved with Bind9 or djbdns. Mitch /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
