<div dir="ltr">Please don't encourage using "search" in resolv.conf or the Windows equivalent. Search domains make queries take longer, impose unnecessary load on resolvers and make diagnosis of issues harder because, when users say "it doesn't work" you have no idea what it was that didn't work.<div><br></div><div>I tried using separate subdomains for different interfaces on devices once and ran into exactly that problem. There's also the overhead of maintaining more zones than you really need.</div><div><br></div><div>My suggestion would be to replace the dot with a hyphen. That is, instead of:</div><div><a href="http://firewall1.example.com">firewall1.example.com</a> = Internet IP address<br><a href="http://firewall1.dmz.example.com">firewall1.dmz.example.com</a> = IP address on DMZ network<br><a href="http://firewall1.management.example.com">firewall1.management.example.com</a> = IP address on out-of-band management network<br></div><div><br></div><div>do:</div><div><br></div><div><a href="http://firewall1-internet.example.com">firewall1-internet.example.com</a> = Internet IP address<br><a href="http://firewall1-dmz.example.com">firewall1-dmz.example.com</a> = IP address on DMZ network<br><a href="http://firewall1-management.example.com">firewall1-management.example.com</a> = IP address on out-of-band management network<br></div><div><br></div><div>You could even CNAME firewall1 to firewall1-management as this is (presumably) the interface that users and monitoring/management tools will want to reach by default.</div><div><br></div><div>The hostname of the box is "firewall1" but each interface on it has a unique name, derived from the hostname plus a "-<something>" suffix. Select a set of well known and used suffixes for your environment.</div><div>If someone really wants to try and SSH to the Internet interface (though I don't understand why you would), they know the hostname and they know the suffix, so it's a simple matter of combining them.</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 1 Mar 2024 at 21:11, Nick Tait via bind-users <<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><u></u>
<div>
<div>On 02/03/2024 03:42, Mike Mitchell via
bind-users wrote:<br>
</div>
<blockquote type="cite">
<pre>Our networking team is in the habit of entering the IP address of every
network interface on a router under one name. The very first address
entry is their out-of-band management interface. "rrset-order fixed" is
used on their domain for address records, so they can ssh to the router
by name reliably and not have to worry about interfaces that are down
or that filter SSH.
</pre>
</blockquote>
I wonder if an alternative (cleaner?) solution to your use case
could be to use different sub-domains for the different networks
(network interfaces)? For example:<br>
<blockquote><a href="http://firewall1.example.com" target="_blank">firewall1.example.com</a> = Internet IP address<br>
firewall1.<i>dmz</i>.<a href="http://example.com" target="_blank">example.com</a> = IP address on DMZ network<br>
firewall1.<i>management</i>.<a href="http://example.com" target="_blank">example.com</a> = IP address on
out-of-band management network<br>
</blockquote>
<p>If you did this you could make use of DNS search domains to allow
different parts of the network to resolve the unqualified name
"firewall1" differently. E.g. If you "ssh firewall1" from a
management host it could expand that to firewall1.<i>management</i>.<a href="http://example.com" target="_blank">example.com</a>?<br>
</p>
<p>Nick.<br>
</p>
</div>
-- <br>
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div>