Split Domain

Kevin Darcy kcd at daimlerchrysler.com
Mon Oct 23 20:04:42 UTC 2000 

Peter Koenig wrote:

> Hi,
>
> we have a quite particular setup:
>
> Part of a department "adepartment" in our domain adomain.com is
> protected by a firewall. The DNS for adomain.com including
> adepartment.adomain.com is not maintained by us. The hosts behind the
> firewall are not listed in the public dns.
>
> So we would like to set up a DNS-server (internal DNS) behind our
> firewall. Our wishes for a setup are as follows:
>
> 1. Hosts protected by the firewall should be able to resolve other hosts
> behind the firewall as well as all other hosts in
> adepartment.adomain.com
> 2. This should be possible without having to include all of the data for
> adepartment.adomain.com in our internal DNS-server.
> 3. We would like to achieve this without having to give up our flat
> namespace for adepartment.adomain.com, i.e. not introducing subdomains.
>
> So the setup should be as follows:
>
> The internal DNS should:
> 1. Try to resolve queries for adepartment.adomain.com or forward them to
> the public DNS in case the name cannot be resolved. Regulary the DNS
> returns a NOERROR at this point.
> 2. Forward all other requests (i.e. not including
> adepartment.adomain.com) to the public DNS.
>
> If I understood P. Albitz' and C. Liu's "DNS and Bind" correctly this
> could be realised using "views" in the upcoming Bind 9.x release.
>
> Can anybody give me a hint to solve this problem with standard Bind 8.x
> ?

"views" were not implemented as specified in the _DNS_and_BIND_ book. You
can have the nameserver answer from different versions of a zone based on
the IP address of the client, but you still have to maintain those separate
versions; there is no "forward to X on NXDOMAIN" capability as it appears
in the book. BIND 9's "views" help eliminate the need to run multiple
nameserver instances for split DNS, but they still leave you with the
challenge of maintaining multiple versions of a zone. Perhaps subdomains
would be a better way to go. Another outside possibility would be to
convince the maintainer of the "real" adepartment.adomain.com to update
*your* version of the same zone automatically via Dynamic Update
(preferably secured) whenever they make a change.


- Kevin

More information about the bind-users mailing list