[nycbug-talk] Split Horizon DNS

[Jesse Callaway]

On Thu, May 14, 2009 at 2:49 PM, Matt Juszczak <matt at atopia.net> wrote:
> Hi all,
>
> Right now, I've got the following setup going:
>
>        -8 FreeBSD boxes
>        -2 of them running bind, one master one slave
>        -every /etc/resolv.conf set to those two servers
>        -two servers configured to forward onto ISP nameservers
>
> The goal?  Allows me to create a "domain name".int (IE:
> server1.mydomain.int) for use internally, while still allowing everything
> external to resolve correctly.  The reason for creating the .int was to
> allow use internal access to each box without overwriting the IP addresses
> of the .com or confusing them in anyway shape or form.
>
> The setup seems to work nicely (especially since I have a timeout of 1 set
> in /etc/resolv.conf, so fail over occurs quickly if one of the DNS boxes
> is down).  The only negative seems to be that if both boxes are down, DNS
> fails entirely.  However, this is almost the same for any /etc/resolv.conf
> configuration.
>
> What are your thoughts?
>
> Thanks,
>
> Matt
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>

Hi Matt,

One thing I like about the DJB working model of how to do things is
that the authoritative nameservers, listed in whois, for
YOURDOMAIN.COM are and should be totally separate entities from
anything you are doing in-house as far as name resolution is
concerned. There's no need to change software to adopt this approach.
Especially if you are tinkering, it might be a good idea to take the
NS's which talk to the Internet and put them by themselves. Then do
all of this .localdomain stuff somewhere else. The implementation
could be in jails or what have you. Personally my brain goes fuzzy
when I look at all of the authorization clauses in the bind configs.

-jesse