Domain Dependant DNS
Kevin Darcy
kcd at daimlerchrysler.com
Wed Jan 28 19:04:31 UTC 2004
Michael B Allen wrote:
>I have a small LAN at home with a few machines and a Linksys router hooked
>up to a cable modem. One machine is running bind 8 with a standard set
>of zone files and two forwarders to my ISPs DNS. Works great.
>
>Now all of the sudden I'm using VPN to get onto the company Intranet but
>I don't work too much when I'm home so I'd like to access all networks
>at the same time so I can do a little work (very little) and then jump
>over to the raw internet. Routing isn't too much of a problem. I have
>a suitable set of masks to route traffic to the company WAN.
>
>But I'm having trouble contriving a reasonable setup to handle
>DNS. Currently I just copy in a different resolve.conf depending on what
>I'm doing but that's pretty ugly.
>
>So the question is; can I configure the name server on my LAN to use
>different forwarders depending on the domain of the name being queried? Or
>is there something I can do local to the machine doing the VPN?
>
>In truth it would be ideal if the local machine's name service client
>apparatus could be configured to use different DNS servers based on which
>domain was being accessed but also try alternate servers if the primarys
>do not immediately respond and then remember a cache of 1000 names or
>so. But I realize that's probably wishing for too much. I would settle
>for domain dependant DNS.
>
You could set up a BIND nameserver on your LAN that forwards by default
to your Internet ISP and then uses "per-domain" forwarding or stub zones
for all of the domains associated with your workplace (don't forget the
reverse zones too!). E.g.
zone "example.com" {
type stub;
file "example.com";
masters { x.x.x.x; y.y.y.y; };
forwarders { };
};
or
zone "example.com" {
type forward;
forwarders { x.x.x.x; y.y.y.y; };
forward only;
};
Where to use "type stub" and where to use "type forward"? Depends on
your company's DNS infrastructure. "Type forward" requires the forwarder
to honor recursion; "type stub" does not rely on recursion. "Type stub",
however, requires direct connectivity to the nameservers for a
particular zone (possibly a distant descendant of your company's main
domain(s)), whereas "type forward" allows you to "tunnel" around that
lack of connectivity via a compliant forwarder. "Type stub" is usually
more efficient for deep namespace hierarchies because it caches all of
the intermediate NS records. "Type forward" can be more efficient if the
forwarders maintain a well-populated cache of commonly-looked-up names.
If your company's DNS infrastructure is inconsistent about reachability
and/or honoring recursion, you may find it optimal to configure a mix of
stub and forwarding zones and/or subzones. Or, just go with the simple
and possibly less efficient method of forwarding to your company's
nameservers, which -- other than the fact that you probably benefit more
from your own centralized caching -- is functionally the same as what
occurs when you point your clients' resolvers to those same servers.
- Kevin
More information about the bind-users
mailing list