Solved

split dns setup

Posted on 2001-06-13
5
251 Views
Last Modified: 2013-12-23
Hi,
   I like to set up a split dns servers for
mydomain.com;  which method works best?
should I use subdomain for the internal network?
I currently do not use subdomain?  what is the
easiest way to do this?  Does anybody has a working
sample setup?

thanks in advance:
0
Comment
Question by:siunix
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 1

Expert Comment

by:mshivdas
ID: 6186429
You don't need to use a subdomain for the internal network.

What you do is populate the external DNS server with any entries that you want to have publicly visible.  The external server should be registered as the SOA for your domain and will handle all external queries.

Then, on the internal DNS server, you put in your internal addresses and your external addresses.  Internal clients are configured to resolve to the internal server.

How you handle resolution of addresses not in your domain for your internal clients will depend on your actual setup -- one option would be to configure things so that the internal server resolves to the external server, but the actual details of that setup are predicated on whether you have a firewall between the two machines, whether that firewall is running BIND, whether you would prefer to have the internal DNS server talk directly to the root servers, and a multitude of other variables.
0
 

Author Comment

by:siunix
ID: 6187386
Thanks for the input;  I like your idea by not
creating a subdomain because it would be lots
problems since lots of servers are already in the
domain.  We have a dmz (pix firewall) which has
the external dns.  I thought you cannot have
the internal dns as mydomain.com and the external
dns as mydomain.com.  This is why I suggest to use
subdomain, like eng.mydomain.com as the internal
dns domain and forward all mydomain.com to the
external dns.  How do you forward the internal dns to
 external dns when use one domain.com?
Do you have a sample /etc/named.conf and /etc/resolv.conf
for the internal and external dns?

thanks for your help :-)
0
 
LVL 1

Accepted Solution

by:
mshivdas earned 200 total points
ID: 6189147
Assuming that the internal DNS server can talk to the external DNS server through the firewall, point the resolv.conf file on the internal DNS server to the external DNS server -- for example:

domain mydomain.com
nameserver x.x.x.x

where x.x.x.x is the IP address of the external DNS.

In named.conf, you would have entries like this:

zone "mydomain.com" in {
        type master;
        file "mydomain.com.hosts";
};

zone "77.0.10.IN-ADDR.ARPA" in {
        type master;
        file "77.0.10.rev";
};

The first entry indicates that the forward lookup entries for mydomain.com are in the file mydomain.com.hosts in whatever directory you've specified in the options section of the named.conf file -- for example:

options {
        directory "/var/namedb";
};

The second entry use the example of the internal addresses being in the 10.0.77 network and indicates that the reverse lookup entries for that network are in the file 77.0.10.rev in the directory specified in the named.conf file.

Now, assuming that the external DNS server is capable of looking up any addresses that are not part of mydomain.com, any address that the internal server cannot resolve, which is not part of mydomain.com, will be referred to that server which will then query the root servers.  Note that the internal DNS server will NOT query the external DNS server for hosts in mydomain.com that it does not have entries for.  It will simply return a host not found -- that's why the internal DNS server should have all of the pertinent entries, whereas the external server just has the entries that you want to be publicly available.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 6189550
Yes you can have an internal and external DNS for the same domain. As long as you define records on each DNS for nodes in the "other network" that need to be visible in that namespace everything will work properly. Technically that is a split DNS as there are two disjoint namespaces. And from a security standpoint have a DNS running inside of the firewall is a good idea. For moderate sized private networks you can enhance security by having your inside DNS servers only forward non-local requests (requests for Internet names) to your DNS servers in the DMZ.

In practice a split dns, whether by running two instances of named (prior to Bind 9 thats the only way) or by using views in Bind 9, is two disjoint namespaces. There is no overlap of zone file data and each "view" of your domain must be complete for that namespace. In other words, the outside nameserver instance or view must contain all records that any Internet or DMZ server will need. In a like manner the inside instance or view must contain data for all interior nodes as well as those nodes that you "own" in your DMZ. The two instances of views of the DNS will never consult each other for records assocaited with your domain as each thinks that "it is the domain".
0
 

Author Comment

by:siunix
ID: 6191886
thanks for the help :-)
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question