OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [fw-wiz] Split DNS, who be recursive?
From: Chris Brenton (cbrentonsover.net)
Date: Sun Apr 02 2000 - 01:56:45 CST

Fancy meeting you here. ;)

Lance Spitzner wrote:
>
> Looking for architect opinions on Split DNS.
> How do you configure your Internal DNS server?

I usually let my internals do direct queries. With round robin and other
forms of load balancing you see TTL's set so low its not worth using a
forwarder to build up a rich cache.

> 1. Have your internal server do the query,
> starting with the root servers?

Two nice things here:
Firewall blocks 3DNS type return queries
Makes poison attacks difficult at best

On the down side you need to do one to one NAT mapping to avoid
non-recursive problems.

> 2. Have your internal server ask an upstream
> DNS server to do the query (such as your ISP).

You can, although I like to make my external (exposed) servers
non-recursive. You can forward through an ISP if they let you, now its a
matter of their server load and if this will offset any quick hits from
cached values. Its also another leg that can "break" if you have a
problem.

> 3. Have your internal server redirect the
> client to another DNS server?

More potential broken legs. KISS comes to mind but not the rock band. ;)

HTH,
Chris 

-- 
**************************************
cbrentonsover.net

* Mastering Cisco Routers
http://www.amazon.com/exec/obidos/ASIN/078212643X/
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/