(A sequel) Split DNS, Firewall, and Forwarders

[Barrett Richardson]

I have a different issue with split DNS in a sizable network
for Ky state gov.

The entire state network is behind a firewall and many of the
ip addresses have been place on 172.16.x.x addresses. The
nameservers on the DMZ dole out registerd ip addresses for
queries that come from the internet and the firewall build
conduits back the respective boxes. The internal nameserver
just dole out 172.16.x.x addresses for these same hosts.
Some of the state agencies have their own domain and own
authoritative nameservers for their domain.

The problem is that these folks hit other servers at other
agencies within the state network. An example is www.kdla.net,
when an agency with their own authoritative nameserver tries
to resolve www.kdla.net, they get 205.204.186.250, which is
correct for folks in internetland, but being that they are
with the state network, they actually want 172.16.x.x for
www.kdla.net.

I can have the agencies to use a forwarder inside the state
network, but I am a bit reluctant to make them dependant
on my box. Another solution being I am considering is to
place the ip addresses of the nameservers on the DMZ on
a couple of internal boxes also, and route traffic (that originates
internally) to those addresses to the internal boxes (which
will have different DNS tables).


-

Barrett