Advice on Internal Domain Names

Wed Jan 26 16:31:39 UTC 2000

As far as having to register the external hosts on two nameservers, this can
be scripted fairly easily. When a change is made to the internal zone file
(which has the external hosts as well) it is parsed to check for external
hosts (which are kept in a section bordered by *Exteral Hosts Start* and
*External Hosts End* type comments). This is then FTP'ed to the external
nameserver, which reloads the external zone when it detects a new zone file
has been transferred. All it takes is a trigger watching the appropriate log
files (syslog and possibly the xferlog or ftplog) which most people have
anyway to let them know when things need attention.

Also, it is actually very simple to make a general distinction between
external and internal hosts for a web browser without going through all the
exception list stuff even though they may be in the same DNS subdomain.

The requirements are that the hosts are on different IP subnets (as they
typically are in this situation) and the other gotcha is that it uses a DNS
check to distinguish external and internal, so it creates an extra lookup
for every host resolved (once for the check the client makes to see which
subnet the target host is on, and once for the firewall to actually resolve
the address).

Here is a copy of an automatic proxy configuration file that will do just
that:

function FindProxyForURL(url, host)
{
    if (isInNet (host, "10.0.0.0","255.0.0.0")) {
        return "DIRECT";
    }
    else {
        return "PROXY firewall.example.com:80";
    }
}

Just some thoughts,
	Adam Augustine

-----Original Message-----
From: Ole Christensen [mailto:Ole.Christensen at post.uni2.dk]
Sent: Tuesday, January 25, 2000 4:52 PM
To: Jim Reid
Cc: comp-protocols-dns-bind at moderators.isc.org
Subject: Re: Advice on Internal Domain Names

If you want your "internal" users to have access to "external"/"public"
webservers in the foo.co.uk domain AND "internal" webservers, you should
definitely not use the naming scheme 'host.foo.co.uk' for internal
servers. The reason for this is you will have to register the external
servers on both the external (outside/public) DNS as well as on the
internal, and that if you plan to use a http-proxy for external
web-access you will have to administrate a (limited length)
exception-list for servers that your users browsers should  access
directly rather than through the proxy.

Whether or not you should use 'host.branch.intra.foo.co.uk' or only
'host.branch.foo.co.uk' is (I think) a matter of personal taste and how
complicated you want your (and your users) life to  be.  

Regards,

Ole Christensen

Jim Reid wrote:
> 
> >>>>> "Mark" == Mark Taylor <nobody at nowhere.com> writes:
> 
>     Mark> Hi I want some advice on how to name my internal domains.
>     Mark> We have a registered Domain Name (foo.co.uk for this
>     Mark> example), and I need to break it down for my internal
>     Mark> branches.
> 
>     Mark> This will put all our internet servers on "visible"
>     Mark> foo.co.uk.  Everything on our intranet will be "non-visible"
>     Mark> intranet.foo.co.uk.
> 
>     Mark> Is this the recommend approach to naming internal domains ?
> 
> I don't think there are any recommendations for this. The naming
> scheme you've suggested will work OK, but it's perhaps a bit
> clumsy. You'll end up with internal hostnames like
>         host.branch.intranet.foo.co.uk
> which is a bit of a handful. The extra typing could be a bit of a
> nuisance for the internal users.
> 
> It might be better to just use host.branch.foo.co.uk internally unless
> you *really* want to include another domain name component to
> differentiate between external and internal hosts. [And if you do
> that, there might be subtle knock-on effects on your internal mail
> configuration, resolver setups and so on.] You could just use split
> DNS and have two versions of foo.co.uk: one for the outside world and
> one for the inside. The outside world doesn't get to see your internal
> name space. The internal foo.co.uk could even be a superset of the
> external one. Running the two foo.co.uk on different name servers is a
> good idea too. That way it's easier to seperate the two name spaces
> and prevent the internal names from leaking to the outside world.