DNS Question
Bill Gradwohl
bill at ycc.com
Fri Dec 17 22:29:00 UTC 2004
Nathaniel Hall wrote:
> Our DNS resolves domain.com. I have system1.domain.com correctly
> resolving using the DMZ DNS.
> The ISP DNS also resolves system1.domain.com for users outside the
> firewalls. In addition to system1, system2.domain.com resolves on the
> ISP DNS from the outside.
>
> If I am on the inside and try to resolve system2.domain.com, it
> doesn't get resolved because it is not setup in the DMZ DNS. I want
> to be able to resolve system2.domain.com by passing the query from the
> DMZ DNS to the ISP DNS.
>
When you set up DNS, you declare that it is authoritative for the
domain. That's the basis premise. Then when you ask it to resolve
something associated with the domain, it knows its authoritative for the
domain and therefore doesn't have to ask anyone else for anything. It is
THE authoritative reference. That's the problem you face. You have
declared on the one hand that your DNS server is authoritative, and then
on the other hand you say it isn't authoritative. You can't have it both
ways to the best of my knowledge.
Maybe what you should do is what we do. Internally, we run a bogus
domain to resolve internal boxes - private.ycc . Then when we ask for
www.ycc.com (our public real domain is ycc.com) our internal DNS knows
its not authoritative for that domain and asks the DNS servers we have
at our ISP that are authoritative for the ycc.com domain to resolve the
addresses. All our internal boxes are told they are part of the
"private.ycc" domain and therefore there are no conflicts.
You may also want to look into split horizon DNS where depending on who
is asking for name resolution the dns server gives out different
answers, usually either a private or public IP address. Bind 9 has it,
but its messy to set up. DJBDNS is easier to set up but doesn't have
very many followers. The different "zone" files don't have to have
identical named elements, so maybe that can solve your problem as well.
--
Bill Gradwohl
bill at ycc.com
http://www.ycc.com
spamSTOMPER Protected email
More information about the fedora-list
mailing list