bind on a LAN?

Kevin Darcy kcd at daimlerchrysler.com
Tue Nov 22 20:30:26 UTC 2005 

Jim wrote:

>whats the best way to host a dns solution on a LAN if my bind server is not
>going to take any queiries from the outside world and is hosted behind a
>firewall?
>I want to be able to control clients somehow on my lan so i'd need to
>control atleast 1 zone on my server. Do you recommend creating a fake domain
>name for my lan? like (ie. mylan.internal-domain.com). Or is NetBios the
>best way to go here? whats the best way to do this?
>
 From the perspective purely of a DNS administrator, your best bet is 
probably to register (or at least "park") a separate domain from the one 
you use externally, and use that exclusively for your internal DNS. This 
is a slightly better approach than just picking some bogus domain like 
.internal, since it'll result in less headaches if you ever want to 
selectively open up your DNS to trading partners, merge with another 
business, or something like that. (My apologies if this is just for a 
personal LAN, as opposed to a business, but then again, you didn't specify).

For reasons *other* than DNS administration, however, using different 
domains for internal and external can complicate matters. All sorts of 
things outside of DNS have dependencies on DNS names. SSL, for one 
example; mail routing, for another. For this reason, many organizations 
choose to use the same domain name for both their external-facing and 
their internal DNS. This is a co-ordination challenge, since oftentimes 
it means that the internal DNS needs to be a superset of the external 
DNS, e.g. www.example.com might need to resolve in both the internal and 
external DNS, implying parallel maintenance.

A compromise, I suppose, would be to use the same domain for internal 
and external, but use separate subdomains, e.g. int.example.com and 
ext.example.com. This way, it would only be necessary for the internal 
resolvers to see the ext.example.com *zone*, which would be a lot easier 
to configure and maintain than entry-by-entry synchronization.

                                                                         
                                                         - Kevin

More information about the bind-users mailing list