DNS External/Internal Shadow Domains?

Kevin Darcy kcd at daimlerchrysler.com
Thu Nov 11 22:08:42 UTC 1999

Cricket Liu wrote:

> > However if you separate your internal root servers away from the internal
> > name servers that are actually queried by clients, you can define
> forwarders
> > on the non-root servers which work ok.
> I'm not sure how this is supposed to help.  If your internal name servers
> aren't
> using your internal roots, why set up internal roots in the first place?

Thanks to the new "de-forwarding" feature of BIND, the internal nameservers
could selectively use the internal roots for internal domains and forward for
everything else, thus reaping the rewards of both architectures, i.e. the
ability to resolve Internet names via forwarding, while at the same time
exploiting the robustness, adaptability and scalability of an internal-root
architecture for everything internal.

For an organization like ours, with many internal zones and much geographical
diversity, only an internal-root architecture really makes sense for our
internal DNS, so we are planning on implementing a "hybrid" approach as
described above, for the parts of the enterprise which require the ability to
resolve Internet names. Initial testing yields promising results.

- Kevin

More information about the bind-users mailing list