Solved

split dns setup

Posted on 2001-06-13
5
241 Views
Last Modified: 2013-12-23
Hi,
   I like to set up a split dns servers for
mydomain.com;  which method works best?
should I use subdomain for the internal network?
I currently do not use subdomain?  what is the
easiest way to do this?  Does anybody has a working
sample setup?

thanks in advance:
0
Comment
Question by:siunix
  • 2
  • 2
5 Comments
 
LVL 1

Expert Comment

by:mshivdas
Comment Utility
You don't need to use a subdomain for the internal network.

What you do is populate the external DNS server with any entries that you want to have publicly visible.  The external server should be registered as the SOA for your domain and will handle all external queries.

Then, on the internal DNS server, you put in your internal addresses and your external addresses.  Internal clients are configured to resolve to the internal server.

How you handle resolution of addresses not in your domain for your internal clients will depend on your actual setup -- one option would be to configure things so that the internal server resolves to the external server, but the actual details of that setup are predicated on whether you have a firewall between the two machines, whether that firewall is running BIND, whether you would prefer to have the internal DNS server talk directly to the root servers, and a multitude of other variables.
0
 

Author Comment

by:siunix
Comment Utility
Thanks for the input;  I like your idea by not
creating a subdomain because it would be lots
problems since lots of servers are already in the
domain.  We have a dmz (pix firewall) which has
the external dns.  I thought you cannot have
the internal dns as mydomain.com and the external
dns as mydomain.com.  This is why I suggest to use
subdomain, like eng.mydomain.com as the internal
dns domain and forward all mydomain.com to the
external dns.  How do you forward the internal dns to
 external dns when use one domain.com?
Do you have a sample /etc/named.conf and /etc/resolv.conf
for the internal and external dns?

thanks for your help :-)
0
 
LVL 1

Accepted Solution

by:
mshivdas earned 200 total points
Comment Utility
Assuming that the internal DNS server can talk to the external DNS server through the firewall, point the resolv.conf file on the internal DNS server to the external DNS server -- for example:

domain mydomain.com
nameserver x.x.x.x

where x.x.x.x is the IP address of the external DNS.

In named.conf, you would have entries like this:

zone "mydomain.com" in {
        type master;
        file "mydomain.com.hosts";
};

zone "77.0.10.IN-ADDR.ARPA" in {
        type master;
        file "77.0.10.rev";
};

The first entry indicates that the forward lookup entries for mydomain.com are in the file mydomain.com.hosts in whatever directory you've specified in the options section of the named.conf file -- for example:

options {
        directory "/var/namedb";
};

The second entry use the example of the internal addresses being in the 10.0.77 network and indicates that the reverse lookup entries for that network are in the file 77.0.10.rev in the directory specified in the named.conf file.

Now, assuming that the external DNS server is capable of looking up any addresses that are not part of mydomain.com, any address that the internal server cannot resolve, which is not part of mydomain.com, will be referred to that server which will then query the root servers.  Note that the internal DNS server will NOT query the external DNS server for hosts in mydomain.com that it does not have entries for.  It will simply return a host not found -- that's why the internal DNS server should have all of the pertinent entries, whereas the external server just has the entries that you want to be publicly available.
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
Yes you can have an internal and external DNS for the same domain. As long as you define records on each DNS for nodes in the "other network" that need to be visible in that namespace everything will work properly. Technically that is a split DNS as there are two disjoint namespaces. And from a security standpoint have a DNS running inside of the firewall is a good idea. For moderate sized private networks you can enhance security by having your inside DNS servers only forward non-local requests (requests for Internet names) to your DNS servers in the DMZ.

In practice a split dns, whether by running two instances of named (prior to Bind 9 thats the only way) or by using views in Bind 9, is two disjoint namespaces. There is no overlap of zone file data and each "view" of your domain must be complete for that namespace. In other words, the outside nameserver instance or view must contain all records that any Internet or DMZ server will need. In a like manner the inside instance or view must contain data for all interior nodes as well as those nodes that you "own" in your DMZ. The two instances of views of the DNS will never consult each other for records assocaited with your domain as each thinks that "it is the domain".
0
 

Author Comment

by:siunix
Comment Utility
thanks for the help :-)
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

I was recently sitting at a desk at work with one of my colleagues and needed some information on my home computer. He watched as I turned on my home computer, established a remote session into it, got the information I needed and then shut it down …
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now