Using an internal root is more flexible and secure.
It's also more scalable than extensively forwarding.
As an example, assume that:
- The internal DNS domain is business.corp.
The company's name is Business Corp.
- The following networks are used:
- 192.168.0.0/16 (branch offices)
- 10.0.0.0/8 (headquarters)
- The internal root servers are:
- A.business.corp
- B.business.corp
- C.business.corp
- D.business.corp
- The top-level (below root) internal servers are:
- NS00.business.corp
- NS01.business.corp
- NS02.business.corp
The internal root file conventionally called db.root could be:
;
; Business Corp.
;
; Internal DNS root and domains.
; last update: July 31, 2014.
;
$TTL 1d
. IN SOA A.business.corp. hostmaster.business.corp. (
1 ; serial
3h ; refresh
1h ; retry
1w ; expire
1h ) ; negative caching TTL
; The internal root servers.
IN NS A.business.corp.
IN NS B.business.corp.
IN NS C.business.corp.
IN NS D.business.corp.
; The internal root servers addresses.
A.business.corp. IN A 10.0.0.10
B.business.corp. IN A 10.0.0.20
C.business.corp. IN A 10.0.0.30
D.business.corp. IN A 10.0.0.40
; The internal domains and their authoritative servers.
business.corp. IN NS NS00.business.corp.
IN NS NS01.business.corp.
IN NS NS02.business.corp.
10.in-addr.arpa. IN NS NS00.business.corp.
IN NS NS01.business.corp.
IN NS NS02.business.corp.
168.192.in-addr.arpa. IN NS NS00.business.corp.
IN NS NS01.business.corp.
IN NS NS02.business.corp.
; End of File.
Naturally, NS00 thru NS02 further delegate as necessary.
In this particular case, the /etc/named.conf of the root servers has:
zone "." in {
type master;
file "db.root";
recursion no;
};
NOTE
Not all of the root servers must be master for the "." zone.Other internal DNS servers must use these internal DNS root servers.
Of course, at a minimum, just one of them needs to be, as usual.
These specifics are covered on another post: internal DNS servers.