Forwarding from Internal DNS server.

[union]

Hi Kevin,Jim

Thanks for the responses!

I will try better explain what I am trying to achieve.

The setup I am trying to put into effect is a split namespace to do the
following :

Let all internal hosts resolve all  internal names from the internal DNS
system, and all external Internet names be resolved by the local ISP's DNS.
(I was hoping that the internal DNS would be able to forward these queries
onto the ISP's DNS). ie.) Internally we want to see  internal namespaces +
external Internet namespace.
All external Internet hosts can only see a sub-set of out internal namespace
(Shadow namespace hosted on ISP's DNS). Address translation takes place
through the firewall.
Internal default routes on local Lans point to the local firewall.
The objective:
If an address request for an external Internet host, made from an internal
host, "COULD?" be obtained by the internal DNS system forwarding all
unresolved external queries to the ISP's DNS, then internal users should be
able to browse/send mail/FTP both internally , and externally.

If I change the DNS setup so that internal hosts can only see the internal
namespace on Internal DNS servers then I have to setup a local mail relay
host(that uses the ISP's DNS, and my internal DNS wildcard MX's will point
to this relay) to forward all Internet mail. I would also then have to set
up a proxy server(which also uses the local ISP's DNS) to allow
browsing/FTPing  on the Internet. This model now means that I now have to
maintain a mail relay,proxy server, and internal DNS system. I guess on the
different internal root servers I could try and setup the wilcard MX's to
point to there local mail relay. While the approach that I was trying to get
working above means that I need to only maintain an internal DNS system, and
an externally resolvable name would allow the default routes to use the
local ISP connection.

Is it not possibly to get the first method working?? And if so what are my
missing components?

Thanks

union at icon.co.za


----- Original Message -----
From: Kevin Darcy <kcd at daimlerchrysler.com>
To: <comp-protocols-dns-bind at moderators.isc.org>
Sent: Friday, February 04, 2000 2:27 AM
Subject: Re: Forwarding from Internal DNS server.


> >>>>> ">" == union  <union at icon.co.za> writes:
>
>     >> With my original forwarding question, Would it help if I
>     >> upgrade my version of bind to 8.x.x and create a "view" to
>     >> forward on NXDOMAIN to my ISP's DNS, from my internal root
>     >> server???
>
> I guess I still don't quite understand what you're trying to accomplish.
> I *thought* you wanted to "customize" your wildcard MX responses so that
> clients would always send mail out the "closest" outbound mail gateway.
> But I don't see how resolving the queries externally is going to achieve
> that. If one of your clients MX queries, say, daimlerchrysler.com, and
> the query is resolved externally by *any* normally-configured Internet
> DNS server, the client will get a set of Internet addresses as a
> response. But that isn't going to tell the client what its
> "closest" outbound gateway is, so how does it help you achieve your goal?
>
> Are you perhaps expecting that each ISP will provide their own internal
> roots with their own MX wildcards pointing to their servers, for the
> consumption of your clients, and then you'd just use "views" to present
> these different MX-wildcards to different sets of clients? Before you
> build an architecture on that assumption, I'd ask the ISP's whether they
> are willing to do that and/or how much they would charge for the service.
> I'm not in the ISP business, but I think that this is *not* the way their
> mail routing is usually architected; it'd be a "special" that they'd have
> to set up just for you.
>
> So, to (finally) answer your question, as best I can: if "views" are
> implemented similarly to what is in the _DNS_and_BIND_ book, then I think
> you could probably make a "different wildcards from each ISP" scheme
> work, *if* you can somehow get all of the ISP's to co-operate, and *if*
> you're willing to maintain all of those "views" and *when* BIND 9 comes
> out.
>
> Of course, if you have enough nameservers on your intranet, you could
> accomplish basically the same thing, without requiring any special
> configuration by your ISP's, by just dividing your intranet into
> different DNS "universes" each with their own internal root server with a
> different set of MX wildcards. But I think both Jim and I agree that
> multiple internal roots in the same enterprise is a Bad Idea.
>
> Have you given the "sortlist" idea any more thought? I think it would
> entail less maintenance than the "views" approach and is something you
> could implement today without proliferating internal roots.
>
>
> - Kevin
>
>
>