NAT and DNS - where to find more info

Tue Jun 27 13:02:49 UTC 2000

I have NOT done this (yet), but I intend to (I have a similar situation)

My thought is the following:
Your internal DNS, if it can't answer a query on it's own (for
www.discordia.org, for which you aren't authoritative) should (if properly
configured) go through all the normal motions in order to answer the query
(it will contact root servers, forwarders, etc). 

So for your case, where you want internal.xxx.net to be inside and xxx.net
to be outside, you don't have much of a problem - you setup the inside name
server so that it knows it's authoritative for internal.xxx.net, not
xxx.net, and when you ask for www.xxx.net, it will go through all the
normal DNS motions to find the answer. Since no one outside needs to get
addresses for internal.xxx.net (since they can't contact something on the
far side of a NAT directly anyway) you don't have to even give the xxx.net
name server any information about internal.xxx.net. 

If, on the other hand, you don't want to use a different network name, then
the problem becomes slightly harder, but (If I'm not completely off base)
not that much harder. 

The only problem comes in when you have your internal and external dns are
both configured as being authoritative for the same domain. In this case,
the internal thinks it knows about yourdomain.com, so if it doesn't know
the answer, it believes there is no answer. The only names this might
happen for are those names that have real IPs, but which don't have local
network IPs. (i.e. machines outside your local network).

One way to fix this is to make sure that the local DNS knows about
everything in the outside dns's zone files. Either the information could be
duplicated, or the $INCLUDE directive could be used to put this information
in a seperate file and drag it in to where it's needed, avoiding the risks
associated with duplicated information.

Of course, if you used a different domain name on the internal network,
then the local DNS server would simply do normal lookups and figure out
what you needed to know.

In this setup, it's also possible to have an internal address that is
different than the external address for a given name. I intend to do this
with things that have interfaces on both nets, so as to avoid going through
NAT for internal transactions. 

Good luck, and if I'm way off base on something here, PLEASE tell me. 

Thanks
At 03:55 PM 6/26/00 -0700, you wrote:
>I was wondering if anyone could give me a URL or a few kind words to help me
>out with the following problem. I'm sure other ppl have done this easily.
>I'm just a bit new at this.
>
>I have a network that has all of it's internal IPs translated, 80 or so.
>Externally the DNS works great and internally I have been using host files.
>I want to start using an internal DNS Server to resolve the names.  My
>external domain is authoritative for xxx.net which is my _real_ class C
>address space. I would like an internal DNS authoritative for something like
>internal.xxx.net which would be my 10.10.x.x address.
>
>-    would I setup my internal machines to just point towards the internal
>DNS? DNS would automatically know the external DNS exsists, or would I have
>to use a redirector? My gateway is in the external address space so it's a
>kind of important question.
>
>Thanks for your time.
>
>-Mike
>
>
>
>
>

Michael Kohne
mhkohne at discordia.org
"Evolution is God's version of Domino Rally"