Split DNS
For security reasons, most companies don't want to reveal their internal network infrastructure. You especially want to hide internal host names and the corresponding IP addresses that your DNS servers provide. But you still need to provide DNS service to the Internet to resolve external host names and IP addresses (e.g., the addresses of your Internet Web servers and email servers). The solution is to split your DNS service into an internal and external service, a setup known as split DNS.
When you establish a split DNS service, the internal DNS service lets internal users resolve intranet and Internet host names and addresses. The external DNS service answers external Internet queries for your company's external host names and addresses. You can implement split DNS in one of two ways, depending on the BIND version you use.
Split DNS in BIND 8. The first method, which Figure 1 shows, is to place one or more internal DNS servers behind a firewall in your intranet, and place one or more external DNS servers in your demilitarized zone (DMZ) or on the Internet. Only internal DNS clients can access the internal DNS server, which holds internal domain host and address information. When an external DNS client queries a host name in the company's Internet domain, the external DNS server answers the query. No DNS queries from the Internet go into the intranet. When the internal DNS server receives a query for an Internet host name (e.g., www.win2000mag.com) that isn't in its cache, it forwards a recursive query to the external DNS server. Rather than disable recursion on the external DNS server, you use the method that Listing 2 shows to restrict recursion on that server to permit recursion only for queries coming from the intranet. The external server locates win2000mag.com's DNS server from the Internet root server, then resolves the name www.win2000mag.com from win2000mag.com's DNS server.
To enable forwarding on the internal DNS server, apply the statement that Listing 4 shows to named.conf's options section. The code at callout A in Listing 4 makes sure that the internal DNS server always forwards queries of domains that it doesn't serve to one of the external DNS servers that callout B specifies.
Consider placing your external BIND DNS server in your DMZ, behind an external firewall, as Figure 1 shows. A good firewall can detect and deny an attack such as Denial of Service (DoS). To use this setup, you need to open UDP port 53 on the external firewall to permit Internet queries to reach the external DNS server.
Split DNS in BIND 9. The second method of implementing split DNS uses BIND 9's new View feature. With this feature, you can use the same DNS hardware to provide internal and external services. For example, suppose your company, Exampleco, has an internal domain exampleco.com and an external domain exampleco.com. The internal domain has a zone file that contains internal host and address information, and the external domain has a separate zone file that contains external host name and address information. A traditional DNS server can load only one copy of a zone file for exampleco.com. BIND 9, however, lets you use one DNS server to load several zone files for the same domain name and to answer client queries from the proper zone file, according to the client address (i.e., internal or external).
To run internal and external zone files for exampleco.com on a BIND 9 server, you can apply the statements that Listing 5, page 45, shows to named.conf's view section. (A BIND DNS server resolves client requests according to the order of existing view statements. Therefore, when you add a new view statement, pay attention to its placement in relation to any existing view statements.) The first statement is for the internal domain; the second statement is for the external domain. The internal domain uses the zone file internal.exampleco; the external domain uses the zone file external.exampleco. When the DNS server receives a query, it first determines whether the DNS client address falls into the address range in the substatement that callout A in Listing 5 shows. If so, the DNS server knows the client is an internal client and therefore returns an answer from the internal domain. If not, the DNS server determines whether the client address falls into the address range in the substatement that callout B shows. In this example, the substatement in callout B specifies any, so the server returns an answer from the external domain to any client that doesn't match the internal client list.
To use the View feature, you must run BIND 9 on a machine that both intranet and Internet clients can access. That machine can be the firewall between the Internet and intranet or a server in the DMZ. (Note that a good DMZ has an internal firewall and an external firewall. The internal firewall opens outbound UDP 53 for intranet queries to the DNS server; the external firewall opens inbound UDP 53 for Internet queries to the DNS server.)
