Книга: Fedora™ Unleashed, 2008 edition

Using Split DNS

Using Split DNS

BIND is often run on firewalls—both to act as a proxy for resolvers inside the network and to serve authoritative data for some zones. In such situations, many people prefer to avoid exposing more details of their private network configuration via DNS than is unavoidable (although there is some debate about whether this is actually useful). Those accessing your system from outside the firewall should see only information they are explicitly allowed access to, whereas internal hosts are allowed access to other data. This kind of setup is called split DNS.

Suppose that you have a set of zones you want to expose to the outside world and another set you want to allow hosts on your network to see. You can accomplish that with a configuration such as the following:

----------
acl private {
 localhost; 192.168.0.0/24;
 #  Define your internal network suitably.
};
view private_zones {
 match { private; };
 recursion yes;
 # Recursive resolution for internal hosts.
 zone internal.zone {
  # Zone statements;
 };
 # More internal zones.
};
view public_zones {
 match { any; }
 recursion no;
 zone external.zone {
  # Zone statements;
 };
 # More external zones.
};
----------

Further, you might want to configure internal hosts running named to forward all queries to the firewall and never try to resolve queries themselves. The forward only and forwarders options in named.conf do this. (forwarders specifies a list of IP addresses of the nameservers to forward queries to.)

The BIND 9 ARM discusses several details of running BIND in a secure split-DNS configuration.

Оглавление книги