How can single internal authoritative dns resolve external names?
by That Random Guy from LinuxQuestions.org on (#5PZSN)
I've been looking at different resources/literature for bind and DNS in general and I do not understand a particular setup for DNS.
In my case, I'm trying to understand how an authoritative name server which is a primary for a zone and is internal can resolve external names?
I know there are likely tons of things that can impact how this can be answered but let's assume this entity does not have a DMZ. By extension, we can also leave out any split DNS kind of solution. Let's also assume we're using BIND for this DNS and leave out any dependencies on supporting Windows. Let's imagine only a firewall and a gateway going to the Internet. In other words, it is a screened firewall kind of setup and nothing more. The authoritative name server serves an internal local domain/zone inside for the private networks/hosts internally that are in scope. It is the master for this zone.
Based on the stuff I've read so far, the best practice seems to be that authoritative servers are not to be caching servers and are not to allow recursive queries.
From what I understand about DNS, a server needs to be recursive to allow for external names to be resolved or otherwise needs to supply a server that can resolve the query (in other words, a resolver).
Going by this logic, and trying to meet that particular best practice with this very finicky imaginary setup, would the configuration on the authoritative server require a forwarder to an ISP resolver to be specified for internal clients to be able to resolve external names or is that not the correct solution in this case? Is this a limitation in bind or DNS in general?
In my case, I'm trying to understand how an authoritative name server which is a primary for a zone and is internal can resolve external names?
I know there are likely tons of things that can impact how this can be answered but let's assume this entity does not have a DMZ. By extension, we can also leave out any split DNS kind of solution. Let's also assume we're using BIND for this DNS and leave out any dependencies on supporting Windows. Let's imagine only a firewall and a gateway going to the Internet. In other words, it is a screened firewall kind of setup and nothing more. The authoritative name server serves an internal local domain/zone inside for the private networks/hosts internally that are in scope. It is the master for this zone.
Based on the stuff I've read so far, the best practice seems to be that authoritative servers are not to be caching servers and are not to allow recursive queries.
From what I understand about DNS, a server needs to be recursive to allow for external names to be resolved or otherwise needs to supply a server that can resolve the query (in other words, a resolver).
Going by this logic, and trying to meet that particular best practice with this very finicky imaginary setup, would the configuration on the authoritative server require a forwarder to an ISP resolver to be specified for internal clients to be able to resolve external names or is that not the correct solution in this case? Is this a limitation in bind or DNS in general?