* That sounds like a sadly normal implementation but yes you can do better * Views is a good place to look https://kb.isc.org/docs/aa-00851 * Make sure to investigate how the company VPN services handle DNS as it may surprise you
On Fri, Nov 3, 2023 at 9:52 AM Nick Howitt via bind-users < bind-users@lists.isc.org> wrote: > Hi, > > I am fairly new to bind but I am thinking my company's use of it is > sub-optimal. We have two bind masters (and a few slaves), one for > internal use so all our internal servers point to it or its slaves as > their DNS resolvers. I will call the internal one bind-internal and the > external one bind-external. > > Bind-internal is set up as authoritative for the domain example.com. > Bind-external is also set up as authoritative for example.com. > > Bind-internal has all sorts of entries resolving in the 10.30, 10.40 and > other private ranges, but it also has entries resolving to our public > IP's e.g. demo.example.com resolves to 1.2.3.4 (terminated by an F5), > which is one of our public ips (munged). As this site is externally > accessible as well, we also have to put an identical entry in > bind-external so we end up having many identical entries in > bind-internal and bind-external. We also have some other domains covered > by bind-internal with external IPs, but externally they are covered by > the domain host's DNS and they have the same issue where in > bind-internal we have some public IP's which are also in the domain > host's DNS for external access. > > I have a feeling this is a sub-optimal setup, having to maintain > external IPs in both bind-internal and bind-external. Does it make sense > to stop bind-internal from being authoritative and make it a > resolver/caching name server? This way, if it does not find an entry in > bind-internal it will then go out to either bind-external or the domain > host's DNS to get the answer from the authoritative servers and then > there is no need to maintain external IPs in bind internal. > > TIA, > > Nick > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- - Andrew "lathama" Latham -
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
