Public and Private A Records in a Forward Zone

Kevin Darcy kcd at daimlerchrysler.com
Tue Jan 18 21:35:45 UTC 2005 

Martin McCormick wrote:

>	We deligated a zone for an Active Directory operation on our
>campus about a year ago and I was looking at their zone recently.  It
>has normal public IP-space A records in it but also hundreds of A
>records that have private IP-space addresses.
>
>	I asked the DNS administrator for that zone what these were
>for and he explained that they were mostly for one of our remote
>campuses.
>
>	I have been telling anybody who will listen that this is a
>very bad thing because the private addresses end in our domain name
>and can be looked up from anywhere in the universe with Internet
>Access.  Queries might be made to the DNS that result in address
>replies containing unreachable addresses.
>
>	The real solution might be a split DNS at every campus but
>then we would have to maintain a copy of our public address space in
>addition to the private space for use by our internal customers.
>
>	Is there any other solution I am not thinking about?
>
>	Maintaining a parallel version of a dynamic zone and keeping
>it synchronized with the outside view doesn't sound like much fun.
>
>	As it stands now, our master zone has NS records in it for the
>Active Directory controllers so we pretty much have to take what ever
>is there.
>
>	Is this a common problem?  I am surprised things work as well
>as they do.  It simply looks so _WRONG_!
>Ah for the good old days when our zone was orthogonal, both forward
>and reverse and there were no junk private records in it.  We've got
>over 500 right now.
>
>	Thanks for any thoughts on this matter.
>
Our local security policy forbids advertising internal addresses in the 
external DNS (just in case anyone looks, yes, there are some violations 
of that policy that we need to track down and fix). We've just bitten 
the bullet, and do parallel updates to the internal and external DNS, 
via our homegrown DNS-maintenance software. But then, DNS maintenance is 
highly centralized here. The parallel-update solution might not scale 
very well if your DNS maintenance is very distributed...

                                                                         
                                                   -Kevin

More information about the bind-users mailing list