how can intranet and Internet DNS coexist

Kevin kevin at netrox.net
Sat Sep 25 04:34:49 UTC 1999


Thank You very much for the reply. Unfortunately, I think you have
just confirmed what I was afraid of...

I have actually tried configuring my server as a slave for the other
organizations entire private domain and it did not work reliably.
While I was able to do a zone transfer,  I suspect that access lists
on the router (which I have no control over) are preventing my server
from talking to some DNS servers (for subdomains) on the remote
intranet. As a result, if I do an NS lookup to my dns for a host on
the remote intranet, it may or may not work, depending on the
subdomain the host is in. However, if I do the same NS lookup query
directly to the main DNS server on the remote network, it always
works.  I guess what I need is selective forwarding huh? (which NT 4.0
doesn't have)   Is there anything I could do to simulate this? Perhaps
a static cache entry or something?

thanks,

-kevin


On 24 Sep 1999 17:32:50 -0700, Kevin Darcy <kcd at daimlerchrysler.com>
wrote:

>Kevin wrote:
>
>> We have a simple corporate network with a T1 connection to the
>> Internet and a local DNS (Win NT4.0 SP5)  server. All LAN PC's are
>> configured to point to that local DNS server for Internet  name
>> resolution. Recently we connected our network to another large
>> corporate network which has its own intranet and consequently DNS
>> servers. However, these DNS servers are private and only have
>> information about the private domain and subdomains.
>>
>> Here is my question: How can I configure my local PC's to go to my
>> local DNS server for Internet name resolution and to the private DNS
>> server for name resolution on the remote intranet. I have tried
>> configuring the PC's with both DNS entries but it doesn't seem to
>> work. The network whose DNS server is listed first works, the other
>> doesn't.
>
>Correct. The nameserver list in a resolver is only for availability of
>SERVERS not of NAMES. As soon as you get a reasonable answer from one of
>the nameservers in the list, none of the others are tried.
>
>(Curiosity question: does the resolver still keep going if it gets a
>SERVFAIL response?)
>
>> Is there a way that I could instruct my local DNS server to talk to
>> the remote private DNS server when a query comes in for that private
>> domain?
>
>Yes, in theory there's at least two ways that your servers can have
>knowledge of the other organization's DNS data. The "old-fashioned" way
>is to make your DNS server a slave for all of the other organization's
>internal zones. A "new-fashioned" option would be to use selective
>forwarding, but I doubt that's available on your NT 4.0 platform. Even
>if selective forwarding is available, sometimes for performance reasons
>it's better to be a slave (depending on how large the zones are, how
>frequently they change, what TTL/refresh settings are in effect, etc.).
>
>There's one possible gotcha you need to keep in mind, though: if the
>other organization has a "shadow" DNS domain on the Internet, when you
>become slave to the internal version, you lose visibility to that
>"shadow". This can have a big impact on mail routing and so forth. It
>gets even worse if they have some of the same names in BOTH versions of
>their DNS, but with different addresses. Before you blindly start
>feeding off of their internal DNS data, you might want to discuss the
>possible ramifications with them so you don't have any surprises.
>
>
>- Kevin
>
>



More information about the bind-users mailing list