Can I use views to separate my recursive name server and authoritative name servers?
Answered Tue, 27 Nov 2001> We have the need to have forwarders due to a large number of non-RFC1918
> conforming IP addresses that are going away but not quickly enough. That
> aside, and probably another question all together, we have the following
> general setup. We have multiple internal name servers that
> forward queries to DNS servers that sit in the external space. These external
> servers also act as external name servers for a number of our domains.
>
> I understand that it is advisable to have separate DNS servers for your
> external primaries and for recursive internals for both performance and
> security reasons. Are views an adequate mechanism to provide this
> separation or would it be suggested to have other BIND servers doing this?
Views should work fine for this application. You'll want to have at
least two views, one that your internal name servers that forward
queries to your external name servers are in, which allows recursive
queries. The other view would apply to all other queriers and not
permit recursive queries. You should also make sure you have strong
anti-spoofing rules in place on your external routers or firewall,
since you'll be determining whether or not to do recursion according
to source IP address.
> On a side note, I am happy to hear that you are teaching the DNS courses
> again. I think I went to one of the last ones before Acme Byte & Wire was
> bought. The other admins here wanted to go to one of your courses and now
> they will have the chance again.
Thanks, Kurt! I'll look forward to seeing some Gateway folks at a
future class!
cricket