[KLUG Members] LAN's and DNS
Bruce Smith
members@kalamazoolinux.org
30 Aug 2002 10:57:30 -0400
> >Okay, so address 192.168.1.0/24, e.g., is "invisible" to the outside
> >world. Cool. But what about internal address NAMES? Since our ISP is the
> >NS for caresswm.org (the www. name and the MX records) and since I DON'T
> >want to serve as our own authoritative NS to the Real World(tm), what do
> >I do?
>
> You create a "split horizon". In effect your already doing it on the IP level
> with NAT, your inside machines have a diffrent view of the world than those
> standing outside and looking at you.
>
> >1. If I can set bind to go out to the ISP for unknown addresses, I can
> > name all the machines thisandthat.caresswm.org and just leave
> > www.caresswm.org undefined. Do I set myself as a slave of our ISP, or
> > do I use the "hints" option?
> >2. Fictional names: I can just tell the machines they are in domain
> > cares.lan, which is not unlike the 192 addresses in that they don't
> > exist on the greater internet. Assuming my MTA knows to stamp mail
> > with the proper domain (and it does), and I have no other services to
> > the outside world (aside from AUTH), is this a good plan?
>
> The master internal bind server here is SOA for morrison-ind.com (and others).
> So internal clients get a direct answer from him (or her, depends on how the day
> is going). There is also a "real" SOA in the outside world. In the real SOA
> there are typically VERY few records: www, mail, and one or two MXs. I simply
> add the www address to the internal SOA (mail and MX are different internally).
> So if the external hosting company canges the IP on there webserver(s) then my
> internal people won't be able to see the extranet page until I update it. But
> in ~4 years that has never happened.
>
> Would be pretty trivial to write a cron job to check the ISP SOA for www and
> nsupdate the internal master, but in ~4 years....
I was confused for a minute, but I see your web server is hosted by an
external company.
Here, we run our own web server in house, where it has a private IP on
the DMZ (converted to a real IP by NAT for external queries).
Your answer assumed that www.caresswm.org hosted externally, and I was
assuming that it was internal like mine.
So Peter, use whichever solution fits your actual setup! :-)
--------------------------------------------
Bruce Smith bruce@armintl.com
System Administrator / Network Administrator
Armstrong International, Inc.
Three Rivers, Michigan 49093 USA
http://www.armstrong-intl.com/
--------------------------------------------