Internal vs. external domain names

Michael E. Hanson MEHanson at GryphonsGate.com
Fri Sep 6 18:13:18 UTC 2002 

Given a clean-sheet starting point, I would use two different name-spaces,
one for the private network, and one for the DMZ and Public networks.  I
would configure the private DNS servers with forwarders to the public DNS
for unknown requests.  IMHO, this makes it easier to administer and helps
maintain a security boundary between the outside world and the private
world.  I would also try to insist that customer/client/employee access to
the private network from the public be made using a good VPN.

_______________
Michael E. Hanson
President, Gryphon Consulting  Services
(http://www.GryphonsGate.com)
P.O. Box 1151
Bellevue, NE  68005-1151
(402) 871-9622

MEHanson at GryphonsGate.com (primary)
Gryphons_Master at yahoo.com
----- Original Message -----
From: "Bob Chmara" <news at chmara.com>
Newsgroups: comp.protocols.dns.bind
To: <comp-protocols-dns-bind at isc.org>
Sent: Friday, September 06, 2002 9:37 AM
Subject: Internal vs. external domain names


>
> I'm working on a project to redesign the schema for a large company.
> One of the issues I've been asked to look at is the use of a different
> domain names for internal and external use, such as xyz.net for
> internal use and xyz.com for external use.  Right now, we use the same
> domain name internally and externally.
>
> The benefits I see to using different domain names are:
> - Simplify proxy administration
> - Create a clear distinction between internal and external resources
>
> The drawbacks I see are:
> - Conversion effort - a whole lot of apps will need to be updated
> and/or cname records maintained
> - The distinction between internal and external resources is blurring
> as more suppliers and customers are being given access to systems
>
> - Is there any general consensus about a best practice in this regard?
> - If I had the luxury of a clean sheet approach, which model would you
> recommend?
>
> I've also been asked to gather statistics, though I don't know where,
> if anywhere, those might be found.  I'm also wondering if anyone has
> been through a similar conversion, and if so would you do it again?
>
> Thanks for your help,
> Bob Chmara
>
>

More information about the bind-users mailing list