Assuming the internal DNS server has a private IP and
isn't multi-homed, there's no need for any border hacking
OR extra BIND configuration.
While it can't be queried, it can poison other servers
if it can access them through a gateway.
How?
Can we agree that best practice for DNS resolution for a
site using NAT/PAT and private IPs is to have public IPs
resolved by an upstream ISP's DNS server and private IPs
resolved by an internal, not routed, DNS server that will
forward queries for hosts outside the private space to
external DNS?
No.
While a practice, I don't consider it optimal as it
requires multiple name servers for the same zone. Why not
simply use views on the external server, and optionally
have a caching server locally that does nothing else?
First, because if you lose your upstream connectivity,
unless you deploy the optional caching server, you have no
DNS resolution at all, which is suboptimal. Second,
because it can't securely provide dynamic DNS inside the
private network, which is also suboptimal. Third, because
it creates a procedural reliance on an outside party for
MACs of internal-only hosts. Fourth, because it creates a
security hole wherein someone spoofing an IP from the
public side of the NAT can get resolution of internal host
names and IPs.
Public should stay upstream, private should stay at home.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden
