how can intranet and Internet DNS coexist
Kevin Darcy
kcd at daimlerchrysler.com
Sat Sep 25 00:28:29 UTC 1999
Kevin wrote:
> We have a simple corporate network with a T1 connection to the
> Internet and a local DNS (Win NT4.0 SP5) server. All LAN PC's are
> configured to point to that local DNS server for Internet name
> resolution. Recently we connected our network to another large
> corporate network which has its own intranet and consequently DNS
> servers. However, these DNS servers are private and only have
> information about the private domain and subdomains.
>
> Here is my question: How can I configure my local PC's to go to my
> local DNS server for Internet name resolution and to the private DNS
> server for name resolution on the remote intranet. I have tried
> configuring the PC's with both DNS entries but it doesn't seem to
> work. The network whose DNS server is listed first works, the other
> doesn't.
Correct. The nameserver list in a resolver is only for availability of
SERVERS not of NAMES. As soon as you get a reasonable answer from one of
the nameservers in the list, none of the others are tried.
(Curiosity question: does the resolver still keep going if it gets a
SERVFAIL response?)
> Is there a way that I could instruct my local DNS server to talk to
> the remote private DNS server when a query comes in for that private
> domain?
Yes, in theory there's at least two ways that your servers can have
knowledge of the other organization's DNS data. The "old-fashioned" way
is to make your DNS server a slave for all of the other organization's
internal zones. A "new-fashioned" option would be to use selective
forwarding, but I doubt that's available on your NT 4.0 platform. Even
if selective forwarding is available, sometimes for performance reasons
it's better to be a slave (depending on how large the zones are, how
frequently they change, what TTL/refresh settings are in effect, etc.).
There's one possible gotcha you need to keep in mind, though: if the
other organization has a "shadow" DNS domain on the Internet, when you
become slave to the internal version, you lose visibility to that
"shadow". This can have a big impact on mail routing and so forth. It
gets even worse if they have some of the same names in BOTH versions of
their DNS, but with different addresses. Before you blindly start
feeding off of their internal DNS data, you might want to discuss the
possible ramifications with them so you don't have any surprises.
- Kevin
More information about the bind-users
mailing list