Access external hosts with internal split DNS resolver

Lawrence K. Chen, P.Eng. lkchen at ksu.edu
Sat Aug 15 05:40:23 UTC 2015 


On 2015-08-09 21:41, Dave Koelmeyer wrote:
> Hi Josh, Heiko
> 
> On 09/08/15 18:38, Heiko Richter wrote:
>> Am 09.08.2015 um 06:58 schrieb Josh Kuo:
>> > Add www.mydomain.co.nz to your internal zone, that is one common
>> > way to deal with it. With BIND you can keep the common records in a
>> > separate file and use "include" statement to avoid double entry.
>> 
>> Using the same domain with two seperate contents is just bad practice.
>> And when you decide to use DNSSec sometime in the future it will leave
>> your home network inoperable, because the trust delegations won't work
>> anymore.
> 
> Thanks very much for your responses, much appreciated. Sounds like
> creating a home subdomain is the way to go (I've seen this mentioned
> online), so I'll go down that path.
> 
> Cheers,
> Dave

I meant to comment earlier, but forgot....

But was this server actually doing both internal and external DNS?  Seemed to 
me you only had internal plus wanting to do resolutions?  Which to me seems 
would be common situation.

Because, I have a dyndns domain that is also what I've been using as the 
domain of my home network.

Use the outside dyndns hostname as the domain on the inside

so dynhost.dyndom.tld on the outside, and

host1.dynhost.dyndom.tld
host2.dynhost.dyndom.tld
etc.

on the inside.  Though at a later point I turned on the wildcard feature so 
that I could appear to access the same service whether I was on the inside or 
outside of my network.  used different port numbers and the router would 
forward it to the desired host.

More recently, went to a DMZ host with proxy servers (ran out of port 
forwards).

But, could have an external hosted domain with more than just a single IP.

Had done that back with my first employer, the external hosted on the service 
providers nameservers, and our internal servers did the internal. (along with 
resolutions with root.hints...)

The only bad things was that both internal servers were primary...the other 
administrator refused to be slave, even though he also didn't want my 
responsibilities (or to be the one crawling around the office Friday 
afternoons when the 10Base2 network would mysteriously break....)

If DNSSEC is involved....don't see why signing internal with same KSK and ZSK 
as the external wouldn't be a problem.

Its how I'm doing things here at work.   The way I have it, it doing signing 
of internal first...that way internal servers see the change sooner...

The only thing I haven't grasped is how to make DNSSEC work if my link goes 
down.

-- 
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
                                    with LOPSA Professional Recognition.
For: Enterprise Server Technologies (EST) -- & SafeZone Ally

More information about the bind-users mailing list