Advice on Internal Domain Names

[Kevin Darcy]

Adam Augustine wrote:

> [snip]
>
> Also, it is actually very simple to make a general distinction between
> external and internal hosts for a web browser without going through all the
> exception list stuff even though they may be in the same DNS subdomain.
>
> The requirements are that the hosts are on different IP subnets (as they
> typically are in this situation) and the other gotcha is that it uses a DNS
> check to distinguish external and internal, so it creates an extra lookup
> for every host resolved (once for the check the client makes to see which
> subnet the target host is on, and once for the firewall to actually resolve
> the address).

An extra lookup for every URL is a *huge* performance hit on a stupid Wintel
desktop that doesn't cache its DNS lookups. Remember that a single page can
have dozens of URL's; all those lovely images to automatically download. We
experimented with this approach and were practically lynched by the pilot user
group, because it slowed their web access to a crawl. Just a word of caution.

Ran fine on my Solaris workstation, of course...


- Kevin

> -----Original Message-----
> From: Ole Christensen [mailto:Ole.Christensen at post.uni2.dk]
> Sent: Tuesday, January 25, 2000 4:52 PM
> To: Jim Reid
> Cc: comp-protocols-dns-bind at moderators.isc.org
> Subject: Re: Advice on Internal Domain Names
>
> If you want your "internal" users to have access to "external"/"public"
> webservers in the foo.co.uk domain AND "internal" webservers, you should
> definitely not use the naming scheme 'host.foo.co.uk' for internal
> servers. The reason for this is you will have to register the external
> servers on both the external (outside/public) DNS as well as on the
> internal, and that if you plan to use a http-proxy for external
> web-access you will have to administrate a (limited length)
> exception-list for servers that your users browsers should  access
> directly rather than through the proxy.
>
> Whether or not you should use 'host.branch.intra.foo.co.uk' or only
> 'host.branch.foo.co.uk' is (I think) a matter of personal taste and how
> complicated you want your (and your users) life to  be.
>
> Regards,
>
> Ole Christensen
>
> Jim Reid wrote:
> >
> > >>>>> "Mark" == Mark Taylor <nobody at nowhere.com> writes:
> >
> >     Mark> Hi I want some advice on how to name my internal domains.
> >     Mark> We have a registered Domain Name (foo.co.uk for this
> >     Mark> example), and I need to break it down for my internal
> >     Mark> branches.
> >
> >     Mark> This will put all our internet servers on "visible"
> >     Mark> foo.co.uk.  Everything on our intranet will be "non-visible"
> >     Mark> intranet.foo.co.uk.
> >
> >     Mark> Is this the recommend approach to naming internal domains ?
> >
> > I don't think there are any recommendations for this. The naming
> > scheme you've suggested will work OK, but it's perhaps a bit
> > clumsy. You'll end up with internal hostnames like
> >         host.branch.intranet.foo.co.uk
> > which is a bit of a handful. The extra typing could be a bit of a
> > nuisance for the internal users.
> >
> > It might be better to just use host.branch.foo.co.uk internally unless
> > you *really* want to include another domain name component to
> > differentiate between external and internal hosts. [And if you do
> > that, there might be subtle knock-on effects on your internal mail
> > configuration, resolver setups and so on.] You could just use split
> > DNS and have two versions of foo.co.uk: one for the outside world and
> > one for the inside. The outside world doesn't get to see your internal
> > name space. The internal foo.co.uk could even be a superset of the
> > external one. Running the two foo.co.uk on different name servers is a
> > good idea too. That way it's easier to seperate the two name spaces
> > and prevent the internal names from leaking to the outside world.