DNS External/Internal Shadow Domains?

Steve Kelley Steve.Kelley at sdrc.com
Mon Nov 8 18:17:43 UTC 1999

Hi all,

I'm wondering if anyone can give suggestions on the best way
to setup an internal/external shadow domain configuration.

We have a firewall.  We would like to give an external view of
our domain.  Not to difficult.

We would like to have an internal view of the domain and subdomains.
The internal systems need to be able to resolve Internet domain names
so the servers they point at need to use the Internet Root name servers.

Now if we setup subdomains on the internal name servers the delegation
information has to be put on our external shadow domain also as the
Internet Root name servers delegate to hte external shadow domain name
servers.  This also implies that subdomains would not be able to lookup
internal hostnames in the parent domain because they would be directed
to our external shadow domain name servers from the Internet Root name
servers.  Now I know I could make the subdomain name servers forward
queries to the parent domain name servers to resolve this, but then this
brings up some network routing issues in our environment.

I'm curious how others have solved these issues:

	1.) Split internal/external view of a domain.
	2.) Internal domain systems being able to see Internet domains.
	3.) Internal subdomains being able to see parent domain systems.
		Do you make subdomains secondaries of the parent domain?
		Do you setup subdomains to forward queries to the parent

What impact has your Internet connection being down placed on your name
resolution for internal domains in your organization?

Basically, we want to create a configuration that our internal name resolution
doesn't require access to the Internet Root name servers at all time.

Do larger sites with many subdomains normally configure internal root name
servers to get rid of the reliance on the Internet root name servers?

We are trying to come up with a configuration that will be reliable and
scaleable while distributing the management as much as possible.

We are curious if others have setup a split internal/external view of a
domain, and how they handled subdomain issues.

Thanks in advance,
steve.kelley at sdrc.com

More information about the bind-users mailing list