Intranet naming scheme?

Kevin Darcy kcd at daimlerchrysler.com
Thu Jan 6 01:05:50 UTC 2000 

Phil Olson wrote:

> Hello,
>
> I am in the planning phases of putting together our company's Intranet and
> have several questions.  If our registered domain name is abc.com, should I
> use a abc.com on the Intranet dns servers and hosts, and not provide the
> Intranet host names to the Internet?  Or would it be best to use a made up
> name, i.e. abcompany.int for the Intranet DNS servers and hosts?  How are
> you people with established Intranets doing this?

You could set up totally separate domains on the inside and outside, I suppose,
and this would avoid many of the pitfalls of a firewalled DNS. The problems
with this idea, though, are: 1) it can be confusing to users, especially with
protocols which have a "global" perspective consisting of both internal and
external entities, e.g. email, web, 2) it limits you, if in the future you
might want to selectively open up part of your networks securely via VPN's or
whatever, because now people connecting to you have to deal with 2 different
namespaces instead of just one.

Generally, it seems better to use the same domains on the inside and outside,
but for security purposes to just have a subset of your names available on the
outside -- these would be the "shadow" domains -- or, if you have the luxury,
putting all of your external names into separate subdomains and hiding
everything else from external view. Unfortunately, with the current state of
BIND (until "views" are implemented), shadow domains requires the maintenance
of at least some names in 2 different places.

> Also, our ISP manages the two DNS servers authoritative for our domain.  I
> am wanting to setup two more DNS servers on our Internal network and have be
> a Primary/Slave pair for the Intranet zone and also have them act as
> forwarders, and forward queries they don't know about (i.e. Internet
> queries) to the ISP DNS servers.  Then I would set all the client machines
> to point their resolvers to the Intranet DNS pair, NOT the ISP DNS pair.
> This way the ISP DNS servers wouldn't have any records of our  Internal
> hosts.  Does this sound like I'm on the right track?  I believe the O'Reilly
> book on DNS and Bind refer to this as a split or shadow name space.

Yes, this forwarding-hierarchy type of architecture, with or without a shadow
namespace, is very common, although personally I prefer (and am more accustomed
to) an internal-root architecture which is sealed off from the Internet except
for firewalls and external boxes; if you're running only proxy/bastion-host
firewalls, why do your clients need to resolve Internet names at all? Of
course, there are different firewall configurations, and these have different
DNS requirements. Forwarding hierarchies tend to be more suited to a
stateful-inspection (or, as I like to think of them, glorified filtering-router
:-) firewall architectures.


- Kevin

More information about the bind-users mailing list