Well, the cost/benefits/risks of separating authoritative and recursive on 
different *servers* (as opposed to different NICs, views, or whatever) is 
actually a hotly-debated topic among experts. I know some non-DNS-expert 
opinions, from the InfoSec side of the house, consider hardware-level 
separation "ideal", but frankly, I don't think they understand the concepts of 
NIC- or view-level separation, and need to be edumacated. Personally, I prefer 
a larger number of multi-role boxes, with view separation. The larger number of 
boxes means more availability and resilience against, say, Denial of Service 
attacks, which can target recursive service *or* authoritative service *or* 
both.

By the way, the original poster never said that he was hosting any zones 
authoritatively to the Internet on NS1, so why would you assume that he is? He 
said only that it served "external clients", but those could be *recursive* 
clients, for all we know.

That having been said, I concur with your technical recommendations.

                                                                        - Kevin



-----Original Message-----
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of S Carr
Sent: Thursday, August 18, 2016 4:31 AM
To: BIND Users
Subject: Re: Selective forwarding from an internal only name server

On 18 August 2016 at 01:04, anup albal <anupal...@hotmail.com> wrote:
> Does that mean I setup another forwarding zone called microsoft.com or 
> sharepoint.microsoft.com or both?

Ideally you should setup a completely separate caching/forwarding server and 
not be using the external DNS box (NS1) for this purpose.

On the box you are forwarding the queries to (NS1) you need to enable recursion 
and specify an ACL for recursion to limit it to only allowing recursion from 
the internal DNS1 box.

On the internal DNS box (DNS1) also make sure recursion is enabled and an ACL 
in place allowing your client subnets, and configure forward zones for 
sharepoint.com and microsoft.com zones (and any other zones needed by the 
sharepoint service) to point at the NS1 box.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to