Assuming the internal DNS server has a private IP and isn't
multi-homed, there's no need for any border hacking OR extra BIND
configuration.
While it can't be queried, it can poison other servers if it can
access them through a gateway.
How?
There are plenty of whole presentations on DNS poisoning techniques
readily available online and in print.
Can we agree that best practice for DNS resolution for a site
using NAT/PAT and private IPs is to have public IPs resolved by an
upstream ISP's DNS server and private IPs resolved by an internal,
not routed, DNS server that will forward queries for hosts outside
the private space to external DNS?
No.
While a practice, I don't consider it optimal as it requires
multiple name servers for the same zone. Why not simply use views
on the external server, and optionally have a caching server
locally that does nothing else?
First, because if you lose your upstream connectivity,
unless you deploy the optional caching server, you have no
DNS resolution at all, which is suboptimal.
If you lose your connection to the Internet, why would it matter you
can't resolve FQDNs?
As for internal hosts, set your TTL match your acceptable circuit downtimes.
Second,
because it can't securely provide dynamic DNS inside the
private network, which is also suboptimal.
Dynamic DNS is generally ill advise as a security issue. Or perhaps
you haven't read Cricket's take on it.
However, nothing prevents dynamically updated DNS in this picture.
Third, because
it creates a procedural reliance on an outside party for
MACs of internal-only hosts.
How so? All you're relying on is their server. What "procedural
reliance" might you be referring to?
Fourth, because it creates a
security hole wherein someone spoofing an IP from the
public side of the NAT can get resolution of internal host
names and IPs.
Only if you do this wrong and insecurely.
Public should stay upstream, private should stay at home.
An opinion, one I don't agree with. You asked.
--
-dhan
------------------------------------------------------------------------
Dan Shoop AIM: iWiring
Systems & Networks Architect http://www.iwiring.net/
email@hidden http://www.ustsvs.com/
iWiring provides systems and networks support for Mac OS X, unix, and
Open Source application technologies at affordable rates.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden
