Newbie DNS Questions

Barry Margolin barmar at genuity.net
Tue Sep 25 17:48:07 UTC 2001 

In article <9oqeu2$dpj at pub3.rc.vix.com>,
John <jsf.google.com at darclight.com> wrote:
>Regarding split DNS in general I assume that all of the information in
>the external DNS servers will need to be duplicated on the internal
>servers so that the internal users need only query the internal DNS
>server to get to the external machines such as the internet web/ftp
>servers. Is this correct?

Yes.

>Because of the distant geographical locations of the two sites I would
>think that each site should have there own master and slave DNS
>servers, and these should be identical at each site. My reasoning here
>is to reduce/eliminate DNS traffic on the pipe between the two
>locations. Is this reasonable? Are there any problems with this,
>beyond keeping them in sync?

The overhead of zone transfers is pretty small, so it would be reasonable
for each site to have the master server for their own domain, and the other
site can have a slave server.

>Another issue is should all the machines be in subdomains of only one
>domain to avoid user confusion. By this I mean instead of using
>mojo.subsidiary.ca we would use mojo.canada.maincompany.com. The
>network folks in charge of the DNS setup say this can't be done using
>the .com or .ca and still allow resolution of the external names such
>as web, ftp, etc. Their solution is to use a bogus domain for all
>internal names, i.e. mojo.canada.maincompany.corp. This sounds to me
>like they just don't know how to set things up to have .com names for
>both internal and external use. Am I wrong about this?

It sounds to me like they want to do it this way to avoid having to
duplicate all the external names on the internal servers, which I think is
the same thing you're saying.

>They have also stated that using .corp is inherently more secure.
>Other then the domain not resolving for the rest of the world I don't
>see how. ANy comments on this.

It's security through obscurity.

-- 
Barry Margolin, barmar at genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

More information about the bind-users mailing list