multiple domains behind firewall

Kevin Darcy kcd at daimlerchrysler.com
Thu Nov 9 04:13:52 UTC 2000


I'm not exactly clear why your reverse lookups are taking so long. Either
your server thinks it's authoritative for the reverse domain in question,
in which case it should answer immediately, or it should be asking some
other server which is authoritative for the reverse domain, which should
also answer immediately. Just because you have lots of groups maintaining
different pieces of your DNS doesn't mean lookups should slow to a crawl.
Think about how many different organizations maintain pieces of the
Internet DNS, and those answers usually come back much faster than 10
seconds!

I suspect your real problem is that these "experts" (I assume those were
scare quotes you were using) are in many instances incompetently
misconfiguring their DNS, and this is what is screwing up the lookups. The
best solution to that is political, of course, but, failing that,
judicious use of the "blackhole" or "bogus" options, or in some cases
duplicating the contents of other organization's zones -- or whole
hierarchies! -- on your servers, may be effective forms of self-defense
against the bogosities of others.

Also, as much as I hate to admit it, in certain cases of
"balkanized" DNS-admin contexts, especially where some of the "admins"'
skillsets are below par, maybe the best solution would be to shoehorn
everyone into using some commercial "enterprise DNS" solution (e.g. NetID,
QIP). You'd probably lose some functionality and flexibility there, as
well as potentially performance, but at least your DNS would *work*. Of
course, given the cost and the "culture shock" of this "final solution",
I'm sure it would also require a lot of political wrangling to pull off.

I could offer up some additional thoughts and opinions on political
solutions, if you'd like, but I think that's probably a little off-topic
for this forum...


- Kevin

unixMAPS-ONguy at arizonaed.com wrote:

>   Like most companies our dns is a political hot potato.  We have
> several domains all coexisting behind "the firewall".  But each domain
> is handled by its own team of dns "experts".
>
>   For simplicity sake, let's say I'm part of the server group.
> Companywide policy states every employee must have a pc.  But the pc's
> dns is registered under a different domain than the servers.  And each
> dns won't talk to each other for political reasons.
>
>   Thus, it can take from 10 seconds to two minutes to never(!) to
> connect from our pc's to our servers because the reverse lookup of a pc
> won't resolve on our servers.
>
>   Any suggestions as to a solution would be greatly welcomed.






More information about the bind-users mailing list