Re: Split DNS, who be recursive?

[Chris Brenton <cbrenton () sover net>]

Fancy meeting you here. ;)

Lance Spitzner wrote:
> Looking for architect opinions on Split DNS.
> How do you configure your Internal DNS server?

I usually let my internals do direct queries. With round robin and other
forms of load balancing you see TTL's set so low its not worth using a
forwarder to build up a rich cache.

> 1.  Have your internal server do the query,
> starting with the root servers?

Two nice things here:
Firewall blocks 3DNS type return queries
Makes poison attacks difficult at best

On the down side you need to do one to one NAT mapping to avoid
non-recursive problems.

> 2.  Have your internal server ask an upstream
> DNS server to do the query (such as your ISP).

You can, although I like to make my external (exposed) servers
non-recursive. You can forward through an ISP if they let you, now its a
matter of their server load and if this will offset any quick hits from
cached values. Its also another leg that can "break" if you have a
problem.

> 3. Have your internal server redirect the
> client to another DNS server?

More potential broken legs. KISS comes to mind but not the rock band. ;)

HTH,
Chris
-- 
**************************************
cbrenton () sover net

* Mastering Cisco Routers
http://www.amazon.com/exec/obidos/ASIN/078212643X/
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/