Internal and External DNS servers

[Dimitri Vekris]

My company already has an INTERNAL primary and secondary DNS server. I need
to setup an EXTERNAL (outside the firewall) primary and secondary DNS
server so that only non-internal DNS information. My question is ... does
there exist any information on this type of configuration?

Please post and/or reply to --> d...@interlog.com <---

[Cricket Liu]

On 25 Mar 1997 22:47:13 GMT, "Dimitri Vekris" <d...@interlog.com> wrote:

>My company already has an INTERNAL primary and secondary DNS server. I need
>to setup an EXTERNAL (outside the firewall) primary and secondary DNS
>server so that only non-internal DNS information. My question is ... does
>there exist any information on this type of configuration?

Sounds like what you want is a "shadow external zone." There's no way
to have a name server automatically cull out "internal" information
during a zone transfer operation, so this usually involves setting up
a primary for the new, external zone. There's some material on how to
do this in Chapman and Zwicky's "Building Internet Firewalls," if
you're interested. I'm sure there's information on the 'Net, too.
I'd look in the archives of the firewalls mailing list on
www.greatcircle.com.

cricket

Acme Byte & Wire | http://www.acmebw.com/
cri...@acmebw.com | (303) 449-0484

[Clayton Kirkwood]

Cricket Liu wrote:

cricket

Actually, there is a way to do this. Currently, Intel uses a single set
of servers for both internal and external queries. 4.9.3 code was
modified (as well as the .ca file, and possibly the boot file) to ensure
that private addresses don't get out. This capability was made known a
long time ago, but those in power of the DNS code world weren't
interested.

It makes management very easy because you don't have to build and
maintain duplicate sets of servers: those for inside and those for
outside and for us, that meant quite a few servers. Internal addresses
are only made available to internal users.