[KLUG Members] LAN's and DNS

[members@kalamazoolinux.org]

>Okay, so address 192.168.1.0/24, e.g., is "invisible" to the outside
>world. Cool. But what about internal address NAMES? Since our ISP is the
>NS for caresswm.org (the www. name and the MX records) and since I DON'T
>want to serve as our own authoritative NS to the Real World(tm), what do
>I do? 

You create a "split horizon".  In effect your already doing it on the IP level
with NAT,  your inside machines have a diffrent view of the world than those
standing outside and looking at you.

>1. If I can set bind to go out to the ISP for unknown addresses, I can
>   name all the machines thisandthat.caresswm.org and just leave
>   www.caresswm.org undefined. Do I set myself as a slave of our ISP, or
>   do I use the "hints" option?
>2. Fictional names: I can just tell the machines they are in domain
>   cares.lan, which is not unlike the 192 addresses in that they don't
>   exist on the greater internet. Assuming my MTA knows to stamp mail
>   with the proper domain (and it does), and I have no other services to
>   the outside world (aside from AUTH), is this a good plan?

The master internal bind server here is SOA for morrison-ind.com (and others). 
So internal clients get a direct answer from him (or her, depends on how the day
is going).  There is also a "real" SOA in the outside world.  In the real SOA
there are typically VERY few records: www, mail, and one or two MXs.  I simply
add the www address to the internal SOA (mail and MX are different internally).
 So if the external hosting company canges the IP on there webserver(s) then my
internal people won't be able to see the extranet page until I update it.  But
in ~4 years that has never happened.

Would be pretty trivial to write a cron job to check the ISP SOA for www and
nsupdate the internal master,  but in ~4 years....