Split DNS Forward problem

Kevin Darcy kcd at daimlerchrysler.com
Tue Nov 23 00:08:21 UTC 2004


David Botham wrote:

>bind-users-bounce at isc.org wrote on 11/22/2004 02:03:57 PM:
>  
>
>>Our company have been taken over by a larger company. Now I've to 
>>    
>>
>configure 
>  
>
>>our DNS that it resolvs the domain names from the company that has taken 
>>    
>>
>us 
>  
>
>>over. Problem is that they are using a split DNS system.
>>So I can make for example a forward zone in my DNS and point that to the 
>>    
>>
>
>  
>
>>internal nameserver.But then the external hostnames aren't resolvable.
>>    
>>
>
>The premise behind a split DNS is that the internal clients do not need 
>the "external" information.  In other words, you are treated as either 
>"inside" the network or "outside" the network, not both.  You can be sure 
>that internal clients at the larger company do not resolve names from the 
>external zones.  If you are now "part of their network" you should be able 
>to survive with the same view of the name space as they do.
>
That may not be a feasible short- to medium-term solution. The larger 
corp may have a particular web-proxy architecture configured at each 
local site and/or into all of their clients' configs, which removes the 
need to be able to resolve Internet names from the inside, and it may 
not be reasonable to assume that the smaller corp can simply jump on 
that bandwagon on short notice. Believe me, I speak *directly* from 
experience here.

As an interim measure, it might be possible for the smaller corp to 
configure per-domain forwarding, slave zones or (in most cases 
preferably) stub zones for the apex of each internal namespace of the 
larger corp they want to see (hopefully there aren't too many distinct 
namespaces used internally). Both corps should, in the longer term, 
however, work together on a common web-proxy and DNS architecture. 
Different business units doing such things following different paradigms 
tends to lead to a lot of chaos and frustration for everyone concerned, 
including the end users.

                                                                         
                                    - Kevin





More information about the bind-users mailing list