Re: Split DNS, who be recursive?

[Bennett Todd <bet () rahul net>]

2000-03-29-13:10:24 Lance Spitzner:
> Looking for architect opinions on Split DNS.
> How do you configure your Internal DNS server?

At the risk of tarnishing my Security Stud badge, I've gotta
confess I do split DNS using djb's dnscache[1], which takes all the
excitement out of it. External dns is served straight off a tinydns
that only knows about the DMZ. Internal dns is servered via dnscache
that can do external lookups, and refers to a separate internal
tinydns with complete info on the inside net as well as the DMZ.
tinydns-data format is so dead simple that it's effortless to script
things so the dmz data gets included into the internal data
automatically. djb's design, the way he has decomposed the functions
into separate daemons, really makes this sort o' thing dead simple.

Plus there's always the little side-benefit that I don't anticipate
ever getting an emergency "upgrade now 'cause we just fixed a remote
root bug" call on any of djb's software. By contrast we've grown to
expect that out of bind (and of course sendmail:-).

As a frill, I've enjoyed experimenting with making the tinydns a
root nameserver, so dnscache gets to avoid the first off-site trip,
and can go straight to the appropriate TLD nameserver.

-Bennett

[1] <URL:http://cr.yp.to/dnscache.html>

Attachment: _bin
Description: