Carl, Sten, Thanks! That's exactly what I was looking for. Steve On Jan 31, 2014 12:10 PM, "Sten Carlsen" <st...@s-carlsen.dk> wrote:
> I can add that this is what I do to solve the same problem. > > I have one difference that you may consider: > I am a stealth master for my external zone, so all changes to IPs will > be controlled from my side and slaved on the public facing servers. > > On 31/01/14 17:44, Rich Goodson wrote: > > Steve, > > > > If you must use the same domain for internal names as external, here is > > one way to do that. > > > > On the recursive resolving name server that you use inside your network, > > also make that server authoritative for the domain name in question. > > You'll need to do double-entry for every externally accessible resource > > record that you also want to access from inside the network. > > > > So, for example: > > > > External: > > SOA record > > example.com <http://example.com>. IN NS ns1.example.com > > <http://ns1.example.com>. > > example.com <http://example.com>. IN NS ns2.example.com > > <http://ns2.example.com>. > > ns1 IN A external.ip.address > > ns2 IN A external.ip.address > > www IN A external.ip.address > > mail IN A external.ip.address > > example.com <http://example.com>. 10 IN MX mail.example.com > > <http://mail.example.com>. > > > > Internal: > > SOA record > > example.com <http://example.com>. IN NS ns3.example.com > > <http://ns3.example.com>. > > example.com <http://example.com>. IN NS ns4.example.com > > <http://ns4.example.com>. > > ns3 IN A internal.ip.address > > ns4 IN A internal.ip.address > > www IN A external.ip.address > > mail IN A external.ip.address > > server1 IN A internal.ip.address > > example.com <http://example.com>. 10 IN MX mail.example.com > > <http://mail.example.com>. > > > > Obviously, if you move your web site to a different server, you'll need > > to change the IP on both the external and internal name servers. > > > > This configuration can cause confusion (you can't resolve > > name.example.com <http://name.example.com>? what resolver are you > > using?), but it does have some advantages, like you can specify > > jabber.example.com <http://jabber.example.com> in the external version > > of the zone to resolve to 12.34.56.78, and have jabber.example.com > > <http://jabber.example.com> in the internal version of the zone resolve > > to 10.11.12.13, but it depends on everyone inside the company using your > > supplied recursive resolvers. > > > > You can also keep recursive and authoritative separate by doing > > approximately this same thing but dedicating a server to your internal > > zone(s), then on your recursive resolvers using a forward statement or > > stub zones to short circuit recursion for that/those particular domain > > name(s). > > > > Is this the right way to manage your name space? I don't know, but > > that's a whole other argument. Some people will tell you that you > > should absolutely use a different name internally than you do out on the > > Internet. Some companies use example.com <http://example.com> outside > > and example.corp inside (this is what my current company does), but when > > the .corp TLD gets approved sometime in the indefinite and unknowable > > future, all of a sudden there are big problems (or a big migration). > > > > Good luck, > > > > -Rich > > > > On Jan 31, 2014, at 10:10 AM, Steve Presser <st...@pressers.name > > <mailto:st...@pressers.name>> wrote: > > > >> Hey all, > >> Please forgive me if any of my terminology is off - I have not spent > >> as much time in the documentation as I'd like. > >> I have an odd situation that I would like to know if it is possible > >> and would much appreciate a pointer to any relevant documentation or > >> write-ups. > >> I manage a domain name which, for reasons of reliability, uses an > >> externally managed DNS server (zoneedit). We're looking to add private > >> network DNS for internal machines. I've got BIND up and running on an > >> internal machine. However, we have public records that need to be > >> accessible internally (SPF, DKMS, jabber servers, MXs, etc). > >> Additionally, using an internal-only namespace is not an option, due > >> to laptops which go in and out of the network and need to be able to > >> connect without settings modification. > >> I'm trying to figure out how to do some sort of pass through > >> arrangement, where the internal BIND server will first attempt to do > >> the lookup with local records. If it has no local record, it will then > >> fall back to the answer returned by the external (zoneedit) server. > >> I know that if there was only one server, this would simply be split > >> horizon. However, I don't know what to call this setup, and am having > >> a hard time searching for it because of that. (So I apologize if this > >> is then a dumb question). > >> > >> Any help you can offer is much appreciated. Thanks! > >> Steve > >> > >> _______________________________________________ > >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to > >> unsubscribe from this list > >> > >> bind-users mailing list > >> bind-users@lists.isc.org <mailto:bind-users@lists.isc.org> > >> https://lists.isc.org/mailman/listinfo/bind-users > > > > > > > > _______________________________________________ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > > > -- > Best regards > > Sten Carlsen > > No improvements come from shouting: > > "MALE BOVINE MANURE!!!" > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
