>>I'm thinking about redesigning an internal DNS environment. To begin >>with, all internal DNS zones would reside on non-recursive servers >>only.
>why? My understanding has always been that the recommendation is/was to separate recursive and non-recursive servers. Now I understand I'm talking about an INTERNAL environment and the rules have over the years become somewhat lax... In this case I also believe this would provide a more granular approach to using security features such as tsig keys to control updates. >> That said, all clients would connect to recursive resolvers. >don't they now? They do. I'm talking about a situation where an edge layer can be eliminated. Each recursive server would have access out to the internet. No forwarding would be required. >>The question is this; do I use an internal root with pointers to the >>internal zones (as well as the outside DNS world) or do I include stub >>zones to point at the non-recursive internal servers? >stub zones, forward zones (forward with recursion bit set) or static-stub zones (send iterative queries to configured servers)> Again, my understanding is that forwarding would require recursion. Thanks for the info about stub zones etc. >>Access to the internal DNS zones would be controlled by location. >if you have recursive servers in internal network, you don't need control >access on auth-only servers If a non-secure client (read the next sentence...) accesses the same recursive server as a regular client, it will have access to the internal zones by default.. Therefore we need to have some sort of access controls in place. >>(e.g. guest WiFi devices would NOT have access to internal DNS >>zones...) >> >>Recursive resolvers would allow implementation of features such as RPZ, etc. >do you need RPZ for internal zones? Since ALL recursive servers have access out to the internet, yes. Please forgive me if my post was confusing, arrogant, or naive. I'm simply trying to seek the wisdom of those on the list that have more experience or different experience than myself. Hopefully, I can gain from that wisdom and we can provide a kind environment where those less educated feel mentored. Bob -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
