DNS passthrough on no explicit result?

Sten Carlsen stenc at s-carlsen.dk
Fri Jan 31 17:10:04 UTC 2014 

I can add that this is what I do to solve the same problem.

I have one difference that you may consider:
I am a stealth master for my external zone, so all changes to IPs will
be controlled from my side and slaved on the public facing servers.

On 31/01/14 17:44, Rich Goodson wrote:
> Steve,
> 
> If you must use the same domain for internal names as external, here is
> one way to do that.
> 
> On the recursive resolving name server that you use inside your network,
> also make that server authoritative for the domain name in question.
>  You’ll need to do double-entry for every externally accessible resource
> record that you also want to access from inside the network.
> 
> So, for example:
> 
> External:
> SOA record
> example.com <http://example.com>. IN NS  ns1.example.com
> <http://ns1.example.com>.
> example.com <http://example.com>. IN  NS  ns2.example.com
> <http://ns2.example.com>.
> ns1   IN  A   external.ip.address
> ns2   IN   A  external.ip.address
> www   IN  A   external.ip.address
> mail    IN   A  external.ip.address
> example.com <http://example.com>.  10 IN MX mail.example.com
> <http://mail.example.com>.
> 
> Internal:
> SOA record
> example.com <http://example.com>.  IN  NS  ns3.example.com
> <http://ns3.example.com>.
> example.com <http://example.com>.  IN  NS  ns4.example.com
> <http://ns4.example.com>.
> ns3  IN  A  internal.ip.address
> ns4  IN  A  internal.ip.address
> www  IN   A  external.ip.address
> mail  IN  A  external.ip.address
> server1  IN  A  internal.ip.address
> example.com <http://example.com>.  10 IN MX mail.example.com
> <http://mail.example.com>.
> 
> Obviously, if you move your web site to a different server, you’ll need
> to change the IP on both the external and internal name servers.  
> 
> This configuration can cause confusion (you can’t resolve
> name.example.com <http://name.example.com>?  what resolver are you
> using?), but it does have some advantages, like you can specify
> jabber.example.com <http://jabber.example.com> in the external version
> of the zone to resolve to 12.34.56.78, and have jabber.example.com
> <http://jabber.example.com> in the internal version of the zone resolve
> to 10.11.12.13, but it depends on everyone inside the company using your
> supplied recursive resolvers.  
> 
> You can also keep recursive and authoritative separate by doing
> approximately this same thing but dedicating a server to your internal
> zone(s), then on your recursive resolvers using a forward statement or
> stub zones to short circuit recursion for that/those particular domain
> name(s).
> 
> Is this the right way to manage your name space?  I don’t know, but
> that’s a whole other argument.  Some people will tell you that you
> should absolutely use a different name internally than you do out on the
> Internet.  Some companies use example.com <http://example.com> outside
> and example.corp inside (this is what my current company does), but when
> the .corp TLD gets approved sometime in the indefinite and unknowable
> future, all of a sudden there are big problems (or a big migration).  
> 
> Good luck,
> 
> -Rich
> 
> On Jan 31, 2014, at 10:10 AM, Steve Presser <steve at pressers.name
> <mailto:steve at pressers.name>> wrote:
> 
>> Hey all,
>> Please forgive me if any of my terminology is off - I have not spent
>> as much time in the  documentation as I'd like.
>> I have an odd situation that I would like to know if it is possible
>> and would much appreciate a pointer to any relevant  documentation or
>> write-ups.
>> I manage a domain name which, for reasons of reliability, uses an
>> externally managed DNS server (zoneedit). We're looking to add private
>> network DNS for internal machines. I've got BIND up and running on an
>> internal machine. However, we have public records that need to be
>> accessible internally (SPF, DKMS, jabber servers, MXs, etc).
>> Additionally, using an internal-only namespace is not an option, due
>> to laptops which go in and out of the network and need to be able to
>> connect without settings modification.
>> I'm trying to figure out how to do some sort of pass through 
>> arrangement, where the internal BIND server will first attempt to do
>> the lookup with local records. If it has no local record, it will then
>> fall back to the answer returned by the external (zoneedit) server.
>> I know that if there was only one server, this would simply be split
>> horizon. However, I don't know what to call this setup, and am having
>> a hard time searching for it because of that. (So I apologize if this
>> is then a dumb question).
>>
>> Any help you can offer is much appreciated. Thanks!
>> Steve
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>
>> https://lists.isc.org/mailman/listinfo/bind-users
> 
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

       "MALE BOVINE MANURE!!!"

More information about the bind-users mailing list