From owner-freebsd-hackers  Mon Feb 19 23:06:28 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id XAA26085
          for hackers-outgoing; Mon, 19 Feb 1996 23:06:28 -0800 (PST)
Received: from ibp.ibp.fr (ibp.ibp.fr [132.227.60.30])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id XAA26074
          for <hackers@freebsd.org>; Mon, 19 Feb 1996 23:06:25 -0800 (PST)
Received: from blaise.ibp.fr (blaise.ibp.fr [132.227.60.1])
	by ibp.ibp.fr (8.6.12/jtpda-5.0) with ESMTP id IAA12475
	; Tue, 20 Feb 1996 08:05:52 +0100
Received: from (uucp@localhost)
	by blaise.ibp.fr (8.6.12/jtpda-5.0) with UUCP id IAA28385
	; Tue, 20 Feb 1996 08:05:45 +0100
Received: (from roberto@localhost) by keltia.freenix.fr (8.7.3/keltia-uucp-2.7) id HAA01159; Tue, 20 Feb 1996 07:57:02 +0100 (MET)
From: Ollivier Robert <roberto@keltia.freenix.fr>
Message-Id: <199602200657.HAA01159@keltia.freenix.fr>
Subject: Re: An ISP's Wishlist...
To: coredump@nervosa.com (invalid opcode)
Date: Tue, 20 Feb 1996 07:57:02 +0100 (MET)
Cc: narvi@haldjas.folklore.ee, me@gw.muc.ditec.de, hackers@freebsd.org
In-Reply-To: <Pine.BSF.3.91.960219184854.1181D-100000@nervosa.com> from invalid opcode at "Feb 19, 96 06:56:33 pm"
X-Operating-System: FreeBSD 2.2-CURRENT ctm#1688
X-Mailer: ELM [version 2.4ME+ PL5 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-hackers@freebsd.org
Precedence: bulk

It seems that invalid opcode said:
> Why not just run 2 named servers on 2 seperate machines ( 2 total ). The 
> bastion host would run named, and any name queries to the protected 
> network would be forwarded to an internal host running the second named 

There is an easier way. 

Have two hosts, one  runs the public DNS  server. The second one is running
the private   DNS  server;  it  has  the   forwarders/slave clause in   the
named.boot to  resolve  anything it's not primary   or secondary  for.  The
public DNS machine is of course a _client_ of the private DNS. 

Flow:

      ^ server-server flow to resolv external hosts
      |
      |
      |    server-server flow (forwarders)
   public <----------------------------------    private
          -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=>
                     client-server flow             ^
                                                    I client-server flow
                                                    I
                                              Internal hosts

That way, no risk with the public's cache leaking host names.

I hope the "drawing" is clear enough.
-- 
Ollivier ROBERT    -=- The daemon is FREE! -=-    roberto@keltia.frmug.fr.net
   FreeBSD keltia.freenix.fr 2.2-CURRENT #1: Tue Feb 20 01:16:51 MET 1996