Torus
asked on
internal and external DNS
i am using red hat ipchains to set up a firewall. Since the internal machines need to use internal internet service, i have set up a internal DNS
for local network and a external DNS for outside network. Both are using linux red hat. It works
fine. Both outside and inside machines can access my internal internet service using domain name.
But if a new internet service machine is added outside the firewall, i need to configure both external and internal DNS since if I don't add
it to the internal DNS, the machines inside the firewall can't query the IP of the new machine.
I feel very troublesome every time the IP is changed or a new machine is added outside firewall. I need to change both DNS.
Is there anyway that if a domain name can't be queried by the internal DNS, the request can be forwarded to external DNS automatically? If so, i can just change the external DNS. Also, internal machines can access the both internet service inside and outside the firewall without changing the config of internal DNS
or any other suggestions?
for local network and a external DNS for outside network. Both are using linux red hat. It works
fine. Both outside and inside machines can access my internal internet service using domain name.
But if a new internet service machine is added outside the firewall, i need to configure both external and internal DNS since if I don't add
it to the internal DNS, the machines inside the firewall can't query the IP of the new machine.
I feel very troublesome every time the IP is changed or a new machine is added outside firewall. I need to change both DNS.
Is there anyway that if a domain name can't be queried by the internal DNS, the request can be forwarded to external DNS automatically? If so, i can just change the external DNS. Also, internal machines can access the both internet service inside and outside the firewall without changing the config of internal DNS
or any other suggestions?
Not if you use the same domain name inside and outside of the firewall. Each of the DNS servers believe that they are authoritative for the domain and thus won't forward a request for that domain elsewhere. In a like manner there isn't a client side solution either. A client could have both DNS servers configured, but the first server that it uses has to have data for the inside and outside hosts. If there's no A, CNAME, or PTR record the DNS server will return a 'no data error' and the client won't ask the other server. The only time a second DNS server would be used would be when the first server can't be contacted.
When you create a split horizon (same names, different IPs)for internal and external DNS, you will have to manage the entirety of those domains on both DNS servers. The best way to manage a split horizon to create a subdomain for the machines that will have different ip's (like mycity.mydomain.com). That way you only have to manage a smaller piece of the domain (just the machines with different ip's) on both DNS servers. Then let your external DNS servers resolve for the rest.
ASKER
Sorry, I don't quite understand how will work.
Can you give me an example or more in detail.
Thanks
Can you give me an example or more in detail.
Thanks
That way that works is that you have your outside DNS servers configured to be your domain (mydomain.tld) and all outside servers are configured to be in that domain. The outside servers are configured to delegate authority for a sub-domain (inside.mydom.tld) to your inside DNS servers and of course all machines on the inside of the firewall are configured to be in the sub domain. So when an inside host needs to access an outside server it'll ask the inside DNS server, but since those know that they are only authoritative for a sub-domain they'll pass the request up to the outside servers.
Now this works if your Internet accessible servers are all located outside of the firewall. It becomes problematical if your servers are actually inside the firewall with Internet requests being port forwarded or passed through the firewall via static NAT translations. In particular web servers are a problem, especially when using name based virtual hosts. URL's are, of course, hostname sensitive. So if you have aweb server inside of the firewall it effectively has to properly respond to two names, e.g., web.mydomain.tld and web.inside.mydom.tld. SSH servers are also a problem for a similar reason.
Now this works if your Internet accessible servers are all located outside of the firewall. It becomes problematical if your servers are actually inside the firewall with Internet requests being port forwarded or passed through the firewall via static NAT translations. In particular web servers are a problem, especially when using name based virtual hosts. URL's are, of course, hostname sensitive. So if you have aweb server inside of the firewall it effectively has to properly respond to two names, e.g., web.mydomain.tld and web.inside.mydom.tld. SSH servers are also a problem for a similar reason.
ASKER
Well, i think it is not applicable in my situation to set a subdomain internally and domain outside. I think I need
to set to access the services in the same name no matter inside or outside firewall.
to set to access the services in the same name no matter inside or outside firewall.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok,anyway.
Thanks
Thanks
ADMINISTRATION WILL BE CONTACTING YOU SHORTLY. Moderators Computer101, Netminder or Mindphaser will return to finalize these if they are still open in 7 days. Experts, please post closing recommendations before that time.
Below are your open questions as of today. Questions which have been inactive for 21 days or longer are considered to be abandoned and for those, your options are:
1. Accept a Comment As Answer (use the button next to the Expert's name).
2. Close the question if the information was not useful to you, but may help others. You must tell the participants why you wish to do this, and allow for Expert response. This choice will include a refund to you, and will move this question to our PAQ (Previously Asked Question) database. If you found information outside this question thread, please add it.
3. Ask Community Support to help split points between participating experts, or just comment here with details and we'll respond with the process.
4. Delete the question (if it has no potential value for others).
--> Post comments for expert of your intention to delete and why
--> YOU CANNOT DELETE A QUESTION with comments; special handling by a Moderator is required.
For special handling needs, please post a zero point question in the link below and include the URL (question QID/link) that it regards with details.
https://www.experts-exchange.com/jsp/qList.jsp?ta=commspt
Please click this link for Help Desk, Guidelines/Member Agreement and the Question/Answer process. https://www.experts-exchange.com/jsp/cmtyHelpDesk.jsp
Click you Member Profile to view your question history and please keep them updated. If you are a KnowledgePro user, use the Power Search option to find them.
Questions which are LOCKED with a Proposed Answer but do not help you, should be rejected with comments added. When you grade the question less than an A, please comment as to why. This helps all involved, as well as others who may access this item in the future. PLEASE DO NOT AWARD POINTS TO ME.
To view your open questions, please click the following link(s) and keep them all current with updates.
https://www.experts-exchange.com/questions/Q.20113737.html
https://www.experts-exchange.com/questions/Q.20193168.html
https://www.experts-exchange.com/questions/Q.20005308.html
https://www.experts-exchange.com/questions/Q.20296201.html
https://www.experts-exchange.com/questions/Q.20298574.html
https://www.experts-exchange.com/questions/Q.20300775.html
***** E X P E R T S P L E A S E ****** Leave your closing recommendations.
If you are interested in the cleanup effort, please click this link
https://www.experts-exchange.com/jsp/qManageQuestion.jsp?ta=commspt&qid=20274643
POINTS FOR EXPERTS awaiting comments are listed in the link below
https://www.experts-exchange.com/commspt/Q.20277028.html
Moderators will finalize this question if in @7 days Asker has not responded. This will be moved to the PAQ (Previously Asked Questions) at zero points, deleted or awarded.
Thanks everyone.
Moondancer
Moderator @ Experts Exchange
Below are your open questions as of today. Questions which have been inactive for 21 days or longer are considered to be abandoned and for those, your options are:
1. Accept a Comment As Answer (use the button next to the Expert's name).
2. Close the question if the information was not useful to you, but may help others. You must tell the participants why you wish to do this, and allow for Expert response. This choice will include a refund to you, and will move this question to our PAQ (Previously Asked Question) database. If you found information outside this question thread, please add it.
3. Ask Community Support to help split points between participating experts, or just comment here with details and we'll respond with the process.
4. Delete the question (if it has no potential value for others).
--> Post comments for expert of your intention to delete and why
--> YOU CANNOT DELETE A QUESTION with comments; special handling by a Moderator is required.
For special handling needs, please post a zero point question in the link below and include the URL (question QID/link) that it regards with details.
https://www.experts-exchange.com/jsp/qList.jsp?ta=commspt
Please click this link for Help Desk, Guidelines/Member Agreement and the Question/Answer process. https://www.experts-exchange.com/jsp/cmtyHelpDesk.jsp
Click you Member Profile to view your question history and please keep them updated. If you are a KnowledgePro user, use the Power Search option to find them.
Questions which are LOCKED with a Proposed Answer but do not help you, should be rejected with comments added. When you grade the question less than an A, please comment as to why. This helps all involved, as well as others who may access this item in the future. PLEASE DO NOT AWARD POINTS TO ME.
To view your open questions, please click the following link(s) and keep them all current with updates.
https://www.experts-exchange.com/questions/Q.20113737.html
https://www.experts-exchange.com/questions/Q.20193168.html
https://www.experts-exchange.com/questions/Q.20005308.html
https://www.experts-exchange.com/questions/Q.20296201.html
https://www.experts-exchange.com/questions/Q.20298574.html
https://www.experts-exchange.com/questions/Q.20300775.html
***** E X P E R T S P L E A S E ****** Leave your closing recommendations.
If you are interested in the cleanup effort, please click this link
https://www.experts-exchange.com/jsp/qManageQuestion.jsp?ta=commspt&qid=20274643
POINTS FOR EXPERTS awaiting comments are listed in the link below
https://www.experts-exchange.com/commspt/Q.20277028.html
Moderators will finalize this question if in @7 days Asker has not responded. This will be moved to the PAQ (Previously Asked Questions) at zero points, deleted or awarded.
Thanks everyone.
Moondancer
Moderator @ Experts Exchange
Torus:
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
refund..
No comment has been added lately, so it's time to clean up this TA.
I will leave the following recommendation for this question in the Cleanup topic area:
Accept: jlevie {http:#7005163}
Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
paullamhkg
EE Cleanup Volunteer
I will leave the following recommendation for this question in the Cleanup topic area:
Accept: jlevie {http:#7005163}
Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
paullamhkg
EE Cleanup Volunteer