DNS External/Internal Shadow Domains?

Steve Kelley Steve.Kelley at sdrc.com
Tue Nov 9 18:07:00 UTC 1999

Hi Joe,

Thanks for your response.  The issue is not to standard.
I assume your message below assumes that the Internal name
servers use Internal root name servers.  If so, I agree it
seems pretty standard.  The only problem we are seeing with
this configuration is that we would like to setup our Internal
name servers as both the Internal root name server and Internal
domain name server.  This causes some confusion concerning setting
the "forward" option on the Internal name server.

If you setup an Internal root name server, can it exist on a name
server that is setup as a forwarder?

How critical do you think it is to a corporation that name resolution
relies on the Internet root name server vs. Internal root name servers?

We don't have very many Internet disruptions in a given year, but we don't
want a disruption to bring down hostname resolution internally due to
Internet root name servers not being available.

Maybe this shows you more detail as to what we are trying to accomplish:

     Internet	     Internet	     Internet
	|		|		|
	|	    Ext. View		|
    jelly.com	    toast.com	    butter.com
	|	Uses Internet Roots     |
	|	Resolver points to	|
	|	Internal name server	|
	|	to handle internal name	|
	|	lookups.		|
	|		|		|
     Firewall	     Firewall	     Firewall
	|		|		|
	|	   Internal View	|
	|	    toast.com		|
	|	forwards to Ext. name	|
	|	server for un resolved	|
	|	hosts.  Delegate sub	|
	|	domains to remote sites	|
	|	connected via WAN.	|
	|		|		|
         \             / \             /
          \           /   \           /
           \         /     \         /
            \       /       \       / 
             \     /         \     /
              \   /           \   / 
               \ /             \ /
                |               |
	wheat.toast.com	   rye.toast.com
If your "internal" domains use Internet root name servers to allow
the "internal" domain to resolve Internet hostnames, the internal
domains can't resolve other internal subdomains as the Internet root
name servers delegate to your external domain name servers who don't
have a view of the internal domain structure.

So if you want a true split DNS solution with both an internal/external
view of your domain it would appear you would have to make use of a
combination of internal root name servers, and the use of forwarders to
resolve Internet domain names.


Joseph S D Yao wrote:
> This is pretty standard.  Internal name servers resolve all internal
> domains.  They forward to the firewall for all unresolved queries.  No
> domains are split in half between internal and external [or if they are,
> you resign yourself to losing the other part of the domain].
> --
> Joe Yao                         jsdy at cospo.osis.gov - Joseph S. D. Yao
> COSPO/OSIS Computer Support                                     EMT-B
> -----------------------------------------------------------------------
> This message is not an official statement of COSPO policies.

More information about the bind-users mailing list