Internal/External DNS issues

Kevin Darcy kcd at daimlerchrysler.com
Wed Feb 9 22:27:35 UTC 2000 

jimserio at my-deja.com wrote:

> My company uses an external DNS server to provide our nameservice. But
> for various reasons it's been decided that we setup an internal DNS
> server. At first it was just a caching NS for our workstations, but we
> have added a few internal machines that only our internal users need
> access to. So I figured it would be pretty easy to setup a zone file for
> our domain with just these internal hosts and then change the
> workstations DNS server to our internal one. Well, the internal hosts
> (ie. dev1, dev2, etc) resolve just fine, but it cannot resolve any of
> the external hostnames (www, ftp, etc).
>
> The DNS HowTo seems pretty vague on what a forwarder does, but it was
> my understanding that when a DNS server could not resolve a hostname
> it passed the request to a one of the DNS servers in the forwarder list.
>
> In either case, it appears that my only option is to duplicate all the
> hostnames from our external (read: REAL) DNS servers to our internal
> DNS server, which seems to be too much work. So, my question is, can
> you operate an internal DNS server that, if it cannot resolve a host
> for its domain, passes that request to one of the "authoritive" DNS
> servers?

A BIND 4 or BIND 8 nameserver will not forward a query if it is
authoritative for the zone which contains the name being queried. If your
internal names are in *different* zones than your external names, then
there are some configuration tricks you can play to prevent the nameservers
from forwarding queries in those particular zones to your external server,
but if you want internal and external names in the *same* (logical) zone,
I'm afraid you're stuck maintaining separate internal-versus-external
versions for now.

The "views" mechanism specified in the _DNS_and_BIND_ book would allow
conditional forwarding of a query if the name isn't found otherwise. It has
been said that BIND 9, currently in Beta, may implement this functionality.
(Or maybe it already _has_, and I'm just too dense to recognize it). There
are some mailing lists for BIND 9 discussion; you might try asking about
this feature there. But bear in mind that the "production" release of
BIND 9 is still months away...


- Kevin

More information about the bind-users mailing list