NEWBIE selecting nameservers based on domain name

[Kevin Darcy]

rdpintexas at my-deja.com wrote:

> I just recently got a cable modem. I also have a
> couple of PPP modem dial-in connections
> to closed networks which I want to keep.
>
> I have already used the "route add -net" commands
> to tell the kernel to route certain
> telnet requests through the ethernet port and
> others through the ppp0 connection,
> depending on the subnet address, etc.
>
> I'd like to do a similar thing with nslookup.
> Specifically if the resolver tries
> to find something on
> <whatever>.<whatever>.companya.com, I'd like it to
> query a particular nameserver.  If it tries
> companyb.com, I'd like it to query another
> nameserver. Otherwise I want the nameserver
> associated with the cable modem. Since
> companya.com and companyb.com are closed networks
> their name-servers won't work on "internet"
> domains and vice-versa.
>
> My reading of the docs indicates the best way to
> do this is to establish a /etc/named.conf file
> with "zones" for company A, company B, and set up
> zone files to access each nameserver accordingly.
>
> Am I in generally the correct direction? Am I
> clueless? Is there a much easier way to handle
> something like this?

You're generally in the right direction. Run a local, up-to-date
nameserver with "per-zone forwarding" capability. Define the
"companya.com", "companyb.com" zones as "type forward" and "forward
only", and give the IP addresses of the respective nameservers for those
zones in the "forwarders" list. I'm not exactly sure what you mean by
"the nameserver associated with the cable modem"; do you have full
Internet DNS connectivity or not? If you do, then these per-zone
forwards would be in addition to a standard Internet-hints-configured
nameserver. If you don't, then your default or "global" forwarder -- not
to be confused with the per-zone forwarders -- would presumably be
whatever nameserver your cablemodem provider has designated for the
purpose.

The only other thing you might want to do, if you're making a lot of
queries to these "special" zones, or if you desire the ability to
resolve names in them even if your connection to the relevant servers is
temporarily down, is set yourself up as a "slave" for the zones in
question, so that you always have replica copies and never need to talk
to their servers except for maintenance. This would require that they
permit your machine to do zone transfers of their zone(s), and may incur
a fair amount of overhead depending on a variety of factors (how large
the zones are, how frequently they change, what their "refresh" settings
are, etc.)

You *do* have IP forwarding turned off and your box is reasonably well
"hardened", right? I don't know that CompanyA or CompanyB would be very
pleased to discover that you've become an Internet access point into
their "closed" networks...


- Kevin