Re: Split DNS, who be recursive?

[aturner () vicinity com]

On 29 Mar, Lance Spitzner wrote:
> Looking for architect opinions on Split DNS.
> How do you configure your Internal DNS server?
>
> When someone on your internal network queries
> an Internet address, such as www.intel.com.
>
> Do you ...
>
> 1.  Have your internal server do the query,
> starting with the root servers?
>
> 2.  Have your internal server ask an upstream
> DNS server to do the query (such as your ISP).
>
> 3. Have your internal server redirect the
> client to another DNS server?

Hey Lance,

I prefer to have my internal forward to the local external DNS server in
the DMZ.   Reasons are:

1) I maintain my own external dns server at each physical location, so
this makes things fast.

2) I do a lot of zone file updates to my external servers, and I don't
want to wait for the rest of the world to pickup on the changes before
my internal users can see it.

3) Allows me to centralize my caching of external info on the external
systems, reducing network overhead and increasing performance.

If you don't do your own external DNS, then point them at your ISP's
servers or whoever is doing your primary DNS.  I don't like pointing
 at the root servers, since then I'm caching the same info on both my
internal and external servers which is silly IMHO.

-- 
Aaron Turner        aturner () vicinity com  650.237.0300 x252
Security Engineer                         Vicinity Corp.        
Cell: 408-314-9874                        http://www.vicinity.com