0

I work for a small company with a couple of public URLs.The DNS is hosted by a big ISP, and it has a couple of A & CNAME records.

Inside our private network, we have many servers & hosts that connect to each other. I'm using yp/nis to publish their names. When the Linux workstations are configured to the nis domain, and have the nsswitch.conf file set up, I can use those names.

The Windows workstations have to have their hosts file updated manually.

Naively, what I'd like to do is have a local DNS server that extends the company.com domain, but just for my in house systems. E.g. I'd run bind on IP 10.10.10.10. My local systems would get the extra entries but 10.10.10.10 wouldn't try to pass anything about company.com upstream.

www.company.com - visible to everyone on the planet

ralph.company.com - only visible to internal systems using 10.10.10.10

Is this possible ? Or does 10.10.10.10 have to define a subdomain.

www.company.com

ralph.sandbox.company.com

nortally
  • 381
  • 2
  • 11

2 Answers2

2

It works as you expect, you can mask your public domain if you add the zone to your internal DNS resolver. If you're using your ISP's DNS resolvers, you will have to set up your own as mentioned in your question.

Your internal DNS resolver must be added to the resolv.conf file (or equivalent on Windows) on every machine on your network, and must allow recursive queries, or else your hosts won't be able to resolve any public names.

That way, the hosts on your internal network will see the local version of company.com, and the rest of world will see the public ISP-hosted version.

There is a catch, however: any records not present in the local company.com zone won't be seen by any machine on the internal network, since the internal DNS won't forward any *.company.com queries to the outside world. So in order for your internal network to access www.company.com you will have to add the record to that zone in your internal DNS server.

André Fernandes
  • 969
  • 1
  • 10
  • 25
  • 1
    The catch is very significant. As your company grows, it becomes and more painful to have multiple versions of the same domain that are exposed to different networks. A separate subdomain is usually the better way to go in the long term. – Andrew B Jul 15 '16 at 17:36
  • This catch depends entirely on the software one is using to provide DNS services to the internal network. – gxx Jul 15 '16 at 17:46
  • The question mentions BIND, which behaves as described. – André Fernandes Jul 15 '16 at 21:25
  • I'm quite sure the questioner mentioned BIND because it's well known and famous, not because of technical reasons. – gxx Jul 16 '16 at 10:17
0

To begin with: Yes, this is possible.

One approach is to implement split-horizon DNS, which

is the facility of a Domain Name System (DNS) implementation to provide different sets of DNS information, selected by, usually, the source address of the DNS request.

However, this won't work, if the authoritative name server of your domain is hosted by your provider.

So, two possibilities come to my mind, but there are more (DNS is quite complex, so writing a one-size-fits-all answer isn't possible, for me at least):

  • Host the name server yourself, for example, using bind.

  • Let your provider continue to host the authoritative name server. Inside your private network set up another (this time: recursive) name server, for example unbound. Point your clients to this server for domain name resolution.

    Put the records which are needed inside your private network in the configuration, for example via:

    local-data: "ralph.company.com A 10.10.10.10"
local-data-ptr: "10.10.10.10 ralph.company.com"

    Forward requests from unbound to publicly reachable DNS resolvers, for example via 

    forward-zone:
  name: "."
  forward-addr: ${RESOLVER_IP_1}
  forward-addr: ${RESOLVER_IP_2}

    Edit: Taking this second approach would prevent you from running into the mentioned "catch" in the answer of André Fernandes.

gxx
  • 5,591
  • 2
  • 22
  • 42