Domain Dependant DNS

Kevin Darcy kcd at daimlerchrysler.com
Wed Jan 28 19:04:31 UTC 2004 

Michael B Allen wrote:

>I have a small LAN at home with a few machines and a Linksys router hooked
>up to a cable modem. One machine is running bind 8 with a standard set
>of zone files and two forwarders to my ISPs DNS. Works great.
>
>Now all of the sudden I'm using VPN to get onto the company Intranet but
>I don't work too much when I'm home so I'd like to access all networks
>at the same time so I can do a little work (very little) and then jump
>over to the raw internet. Routing isn't too much of a problem. I have
>a suitable set of masks to route traffic to the company WAN.
>
>But I'm having trouble contriving a reasonable setup to handle
>DNS. Currently I just copy in a different resolve.conf depending on what
>I'm doing but that's pretty ugly.
>
>So the question is; can I configure the name server on my LAN to use
>different forwarders depending on the domain of the name being queried? Or
>is there something I can do local to the machine doing the VPN?
>
>In truth it would be ideal if the local machine's name service client
>apparatus could be configured to use different DNS servers based on which
>domain was being accessed but also try alternate servers if the primarys
>do not immediately respond and then remember a cache of 1000 names or
>so. But I realize that's probably wishing for too much. I would settle
>for domain dependant DNS.
>
You could set up a BIND nameserver on your LAN that forwards by default 
to your Internet ISP and then uses "per-domain" forwarding or stub zones 
for all of the domains associated with your workplace (don't forget the 
reverse zones too!). E.g.

zone "example.com" {
    type stub;
    file "example.com";
    masters { x.x.x.x; y.y.y.y; };
    forwarders { };
};

or

zone "example.com" {
    type forward;
    forwarders { x.x.x.x; y.y.y.y; };
    forward only;
};

Where to use "type stub" and where to use "type forward"? Depends on 
your company's DNS infrastructure. "Type forward" requires the forwarder 
to honor recursion; "type stub" does not rely on recursion. "Type stub", 
however, requires direct connectivity to the nameservers for a 
particular zone (possibly a distant descendant of your company's main 
domain(s)), whereas "type forward" allows you to "tunnel" around that 
lack of connectivity via a compliant forwarder. "Type stub" is usually 
more efficient for deep namespace hierarchies because it caches all of 
the intermediate NS records. "Type forward" can be more efficient if the 
forwarders maintain a well-populated cache of commonly-looked-up names. 
If your company's DNS infrastructure is inconsistent about reachability 
and/or honoring recursion, you may find it optimal to configure a mix of 
stub and forwarding zones and/or subzones. Or, just go with the simple 
and possibly less efficient method of forwarding to your company's 
nameservers, which -- other than the fact that you probably benefit more 
from your own centralized caching -- is functionally the same as what 
occurs when you point your clients' resolvers to those same servers.

                                                                         
                                                   - Kevin

More information about the bind-users mailing list