host your subdomain on your own ?
Grant Taylor
gtaylor at tnetconsulting.net
Sat Nov 13 16:20:20 UTC 2021
On 11/13/21 9:07 AM, Reindl Harald wrote:
> but you have to deal with it
And? So?
We have to deal with all sorts of things. The need to do our job is not
a reason in and of itself a reason to not do it.
> you missed my second post!
No, order of reply vs reading.
> * he needs the delegation because lack of control
Maybe I've lost context, but I thought the overall theme of the thread
was delegating to a private IP address.
> * when the clients network is using a public
> forwarder the delegation simply can't work
My thought was around three DNS servers.
1) Company A's local DNS server.
2) Company B's local DNS server.
3) Public DNS hierarchy which delegates A's domain to a private IP in
A's LAN.
If there is a VPN between company A and company B, then client's on
company B's LAN will use company B's local recursive DNS server. B's
recursive DNS server will receive the delegation from 3 to 1, traverse
the VPN to talk to A. Thus 2 will be able to resolve something
delegated to A's DNS server with private IP.
> * so the problem is lack of control and can't be solved
>
> personally i would simply add additional names point to the LAN
> addresses in my normal public zone, you don't even need a full subdomain
> zone for add "something.priv.example.com" poining to 192.168.196.10
>
> ------------
>
> and not to forget: most networks are forwarding to some public
> nameserver which can't reach your private named at all
I don't view -- what I consider to be -- questionable practice to be a
valid reason to not do something. A *LOT* of people smoked in the mid
19th century, and that's turned out to be not as good as once thought.
I would advocate for businesses to have their own LAN based DNS servers
that are authoritative for their own zone(s) and recursive for other
zones. If people want, they can have their local DNS server forward the
recursive responsibility elsewhere.
In some ways this thread is a re-hash of the venerable "Why can't Google
DNS figure out my private Active Directory? ... But WHY?!?!?!".
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4013 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20211113/8eb7986f/attachment.bin>
More information about the bind-users
mailing list