An unsolvable DNS situation?

Question

We are about to deploy a simple server in our small office to host the typical small office things (a mac server for email, calendar, contacts etc). We quickly run into this strange DNS problem:

The local clients need to resolve against the local server in order for those services to work (so mail.mydomain.com etc).

But mydomain.com actually has its dns hosted externally because we are a software company and all our products uses this domain (i.e. service.mydomain.com). And the problem is there are thousands of these!

So how do I set this up? I can't move my external queries to my local box because it's not suppose to serve those requests for the company's products. I can't move my local query to the external server because then the LAN ip would not work!

To summarize I need a setup that can:
1) Allow my local clients to resolve to LAN ip (mail.mydomain.com -> LAN IP)
2) Allow external clients to continue to use the external DNS server for the thousands of entries already on there
3) Allow my local clients to fall back to the external DNS for an entry that is not served locally (service.mydomain.com)

How many client machines are we talking about here? Maybe this is one of those rare cases where the hosts file on the clients might be the best solution. — John Gardeniers, Jul 15 '10 at 02:10
@John: I doubt it (re: using a HOSTS file). I'm sure he has more than zero clients... — Evan Anderson, Jul 15 '10 at 11:44

score 5 · Answer 1 · answered Jul 15 '10 at 02:02

5

Run a DNS server on your server on the LAN. Most typical default DNS server configurations will allow clients to resolve Internet names. Create a "mail.mydomain.com" zone with an "@" A record in it that resolves to the LAN IP address of the mail server. Do the same for any other names that need to resolve to LAN IP's for LAN clients. Because you're not creating a "mydomain.com" zone on the LAN DNS server, LAN clients will have requests for "service.mydomain.com" served by the Internet DNS server for the "mydomain.com" zone (assuming, of course, you don't create a "service.mydomain.com" zone on the LAN DNS server).

answered Jul 15 '10 at 02:02

Evan Anderson

141,881
20
196
331

3

If you're setting this up on OS X Server, the format'll be a little different: use Server Admin to create a primary zone for "mail.mydomain.com.", add an entry in the Nameserver list with the same zone name and the server's hostname, then use Add Record -> Add Machine (A) to create a record with the Machine Name set to "mail.mydomain.com.", and list the mail server's LAN IP in the IP Addresses list. Also, configure your LAN DHCP server to hand out the OS X Server's IP as the DNS server, and/or make that change in the network settings of non-DHCP computers on the LAN. – Gordon Davisson Jul 15 '10 at 06:31
Thanks Gordon, but will there be any problems for not having the zone "mydomain.com" setup in the osx server? Will the server behave properly without it? – erotsppa Jul 15 '10 at 15:34
@eropsppa: Not having "mydomain.com" configured on the OS X server insures that requests for "randomservice.mydomain.com" will be sent to the Internet DNS server for "mydomain.com". The OS X server won't be authoritative for "mydomain.com" so it'll just resolve requests for anything else in the "mydomain.com" zone via the Internet DNS. – Evan Anderson Jul 15 '10 at 15:58

score 4 · Answer 2 · answered Jul 14 '10 at 23:24

4

You want Split DNS.

http://www.shorewall.net/SplitDNS.html

http://en.wikipedia.org/wiki/Split-horizon_DNS

answered Jul 14 '10 at 23:24

Joe

214
1
4
10

I don't see how that would help. Could you explain further. – erotsppa Jul 14 '10 at 23:41
2

You configure split DNS on your DNS server. You serve up different responses based on where the request comes from. All requests come in there, different responses come back based on where you are. – Joe Jul 15 '10 at 00:10
1

Both of your links are really, really shy of useful, practical information. The poster says that the "mydomin.com" zone is hosted elsewhere already. Based on his requirement that non-LAN service names resolve properly for LAN clients to their correct Internet addresses, making zones with "@" A records in them for LAN resources would probably be easier to arrange. – Evan Anderson Jul 15 '10 at 02:07

score 1 · Answer 3 · answered Jul 15 '10 at 16:51

Not unsolveable at all.

Run unbound locally on your Mac server, and have it serve the answers for your local hosts, but forward queries for other hosts in your domain to the external authoritative server.

Use the local-zone (in "transparent" mode) and local-data configuration settings (see the manpage for details).

score 0 · Answer 4 · answered Jul 15 '10 at 00:22

0

Sounds to me like you need to define (A) Hosts in your DNS for the web stuff so your DNS server will know to go there first without resolving internally.

answered Jul 15 '10 at 00:22

score 0 · Answer 5 · answered Jul 15 '10 at 17:16

Without being a Mac person I can't answer Apple-specific solutions, however I would consider running your local services under a subdomain or separate domain from your external public-facing domain. That way you don't need to mess around with trying to sort this out, you just have the two servers doing two different jobs and it all works nicely.

An unsolvable DNS situation?

5 Answers5