Complex DNS Resolver Question

Nathan Benson tuxtattoo at gmail.com
Mon May 16 20:34:46 UTC 2005 

Barry,

you've understood exactly what i'm trying to do.  the only reason i'm
trying to use forwarders is because i've not found any other way to do
this (except maybe creating *another* "hybrid" zone, which defeats the
entire reason for this project).  if there is a different way to
accomplish the same thing, i am certainly open to suggestions.

the internal and external views are very different.  the external view
basically contains the stripped down DMZ zones, etc.  the internal
view has the entire internal network (which is *much* larger than the
DMZ).

i've even tried combining the two zones and using sortlist to sort
based on the query-source.  this works, but it needs to only send the
first result, otherwise external queries get internal zone returned
after the sorted DMZ address.  not even close to being OK.

thanks again for your time,
nathan

On 5/16/05, Barry Finkel <b19141 at achilles.ctd.anl.gov> wrote:
> "www.ttdown.com" <radiusmax at hotmail.com> wrote:
>=20
> > >We are currenlty connected to another company via a LAN-to-LAN vpn
> >>>with limited access to some of their resources.  We are trying to
> >>>setup DNS for our local clients to access these resources through our
> >>>DNS servers.  However, this company also has their domain name
> >>>available to the internet.  For example, example.com is there domain.
> >>>We want to access test.example.com through the VPN, but we want to
> >>>access home.example.com via the internet.
> >>>
> >>>Basically, I would like to selectively resolve some records for a
> >>>domain one way and for the other records within that domain, have
> >>>internet DNS records resolve it.  Is it possible to do this with Bind
> >>>9 or Windows 2003 DNS?
>=20
> and I replied:
>=20
> >> There are two separate issues here.  The first concerns which DNS serv=
er
> >> to query, and the second concerns what TCP/IP routing to use to get to
> >> the server in question.  If test.example.com is on a different subnet
> >> than home.example.com, then you can configure your routers accordingly=
.
> >>
> >> With respect to DNS, can your DNS server(s) be slaves for the
> >>
> >>      example.com
> >>
> >> zone(s)?  I can not give a more detailed answer without knowing more
> >> specifics about your configuration and the subnets involved.
>=20
> "www.ttdown.com" <radiusmax at hotmail.com> replied:
>=20
> >hi Barry,
> >
> >i am actually trying to configure something very similar, i believe.
> >
> >i have remote offices that are connected to the home office via VPN
> >tunnels.  the remote offices have slave name servers on each office
> >network.  i am trying to configure the remote office name servers to
> >use the public facing (SOA) name server as a forwarder for the zone,
> >and then fall back on it's local internal slave file if the public
> >facing server doesn't have an entry for that query.
> >
> >the flow i'm trying to accomplish is like this (and this is what i am
> >currently *trying* to get working):
> >
> >looking up a host that has a DMZ address:
> >  1. user in a remote office looks up "mail.domain.com"
> >  2. the remote office name server forwards the request to the
> >external name server
> >      for the zone.
> >  3. an entry is found, so the slave server sends the answer to the user=
.
> >
> >looking up an internal host that has no DMZ address:
> >  1. user in a remote office looks up "private.domain.com"
> >  2. the remote office name server forwards the request to the
> >external name server
> >      for the zone.
> >  3. no entry is found
> >  4. slave server then looks at it's local slave copy of the zone "domai=
n.com"
> >  5. an entry is found, the slave returns the local (VPN) answer to the =
user.
> >
> >
> >i am trying to keep from maintaining more than two zones files
> >(internal and external) for this domain.  the whole reason for this
> >mess was an effort to build a more reliable DNS setup that isn't a
> >pain to maintain (like it is now).
> >
> >i know there has got to be a way to accomplish this without resorting
> >to routing foo/other trickery, but it's really just escaping me.  is
> >it possible to configure bind to try multiple name servers until it
> >gets an answer?
> >
> >i appreciate your assistance and your time,
> >nathan
>=20
> I am not sure that what you want to do is doable.  If I correctly
> interpret what you wrote, you want internal hosts to query an external
> nameserver.  If the hostname is not found, then you want to query
> a local nameserver to locate the information.  That is not how DNS
> operates.  If a queried nameserver is unaccessible, then DNS will query
> another nameserver, providing that there is a second nameserver
> configured.  But if the first nameserver returns NXDOMAIN (the record
> you requested is not in DNS), then the result returned to the client is
> NXDOMAIN.  The DNS protocol is not set up to look elsewhere for the
> record, especially if the first nameserver returns NXDOMAIN
> authoritatively.
>=20
> I have not used DNS forwarders, and from the postings I have seen on
> bind-users, I try to avoid them.
>=20
> How different are the external and internal views?
> ----------------------------------------------------------------------
> Barry S. Finkel
> Computing and Information Systems Division
> Argonne National Laboratory          Phone:    +1 (630) 252-7277
> 9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
> Building 222, Room D209              Internet: BSFinkel at anl.gov
> Argonne, IL   60439-4828             IBMMAIL:  I1004994
>=20
>

More information about the bind-users mailing list