Access external hosts with internal split DNS resolver

Sun Aug 9 06:38:16 UTC 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 09.08.2015 um 06:58 schrieb Josh Kuo:
> Add www.mydomain.co.nz to your internal zone, that is one common
> way to deal with it. With BIND you can keep the common records in a
> separate file and use "include" statement to avoid double entry.
> 
> 
> 
>> On Aug 9, 2015, at 12:50 AM, Dave Koelmeyer
>> <dave.koelmeyer at davekoelmeyer.co.nz> wrote:
>> 
>>> On 09/08/15 16:44, Dave Koelmeyer wrote:
>>> 
>>> - lookups to www.mydomain.co.nz fail, where www.mydomain.com is
>>> my public webserver defined in my domain registrar's zone file
>> 
>> Correction: this should obviously read "lookups to
>> www.mydomain.co.nz fail, where www.mydomain.co.nz is my public
>> webserver defined in my domain registrar's zone file".
>> 
>> 
>> -- Dave Koelmeyer http://blog.davekoelmeyer.co.nz GPG Key ID:
>> 0x238BFF87 _______________________________________________ Please
>> visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>> 
>> bind-users mailing list bind-users at lists.isc.org 
>> https://lists.isc.org/mailman/listinfo/bind-users

Using the same domain with two seperate contents is just bad practice.
And when you decide to use DNSSec sometime in the future it will leave
your home network inoperable, because the trust delegations won't work
anymore.

You should use the zone mydomain.co.nz only for public internet hosts
and create a subdomain for your homenetwork, e.g. home.mydomain.co.nz.

If the hostnames at home don't need to be resolvable in the internet
you don't even have to delegate the subdomain. Just create that zone
on your home nameserver and make sure your entire home network uses
this server as a resolver.

That way your home clients will be able to lookup hosts in both zones
while clients on the internet will only see the public zone.

And concerning your "forward first" statement, you should change that
to "forward only". If your ISPs resolvers can't find a hostname
there's no need for your home-resolver to try again. It can just
accept that the host is not resolvable and pass on the NXDOMAIN to the
client. This will speed up you name resolution considerably.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQIcBAEBAgAGBQJVxvVWAAoJECKEz6pWghImK7IP/A0/NShUls9cRKvAJIEHFuBY
9MEDHSBCG6+kj2xuEmkr6el5ciDR9gT8YYHchYGSsZOSL84B+fpmiCAaRdogCEzt
MN/jGJivR9Xm902VvzAPzz0zRG0VkQA3C+iyW/VNaqzHIDWOi+iemx/sQR2dKbJb
deeruvUZYOw95OOgXvOvsI7vmmKfoZ/RmLFyF4fj2zWRLK/1hzuA/GfkpxkXnnnR
2S2wVMKv2ewPQ8gyEpjEGJ2rSKhWVF/ybk1wDpDD4Kg4HgYuJ+uvxwb9vD34TNsV
2zbKNfnXv69jcHhtPacwbJsFdB8kFM2rXbrhBPZ5CeH+gQ2RDUNKJkeJTDM+Ziem
DdPTr7SHxdJGXMGJQq+MTet2NQMsDwAtym0gDSl0fFxBRD9x4L+1azpqucwftEjf
+Nl563AsoO7eCgE58w2tJMOtC/b8nGK3YvNOobM87jh/RhoDVQYsTET1iTCxff59
rZVLhyGMwwvC+dVD5OiB90506qDww7gzPmCD1EijDNXiYfYu/GMpIGK13ePcAjoU
mzqCyYKaWbXW5fp86ndB6aaTa1PcrFw+WjeygNvF/nQg4JR7yqfA+1/xGPdG/IWy
45IEm1t/lRu7NNpHpw53rVOpNLmLbQLUPE/AbwULkFV6ghOrLsb907545euZkIp/
jZy3D+T7qXH65RwkPZuO
=NHT5
-----END PGP SIGNATURE-----