External v. Private DNS Resolution Puzzler

  • Thread starter Thread starter Steve Proulx
  • Start date Start date
S

Steve Proulx

Besides our link to the Internet, we have a private link to our biggest
customer. For the purpose of this explanation, let's call their domain name
xyzcust.com.

So to access www.xyzcust.com (or a variety of their other sites), we resolve
the name and go out through our Internet link to get there.

Through our prival link with them, we have access to some of their internal
systems. They NAT IP addresses for us that are different from the ones they
use. I would like to create DNS entries for these internal systems to match
what they use (e.g. app2.xyzcust.com).

But if I create an xyzcust.com zone on my DNS server, it becomes
authoritative, so the internal systems name resolutions are fine, but
www.xyzcust.com doesn't work anymore.

I was able to do this when we used a Windows NT DNS server, but with the
current Windows 2000 DNS server, I'm not having any success.

Any ideas on this one?
 
Steve Proulx said:
Besides our link to the Internet, we have a private link to our biggest
customer. For the purpose of this explanation, let's call their domain name
xyzcust.com.

So to access www.xyzcust.com (or a variety of their other sites), we resolve
the name and go out through our Internet link to get there.

Through our prival link with them, we have access to some of their internal
systems. They NAT IP addresses for us that are different from the ones they
use. I would like to create DNS entries for these internal systems to match
what they use (e.g. app2.xyzcust.com).

But if I create an xyzcust.com zone on my DNS server, it becomes
authoritative, so the internal systems name resolutions are fine, but
www.xyzcust.com doesn't work anymore.
Click to expand...

You either have to create their ENTIRE correct zone (by being a
secondary) or you have to somehow intercept just the relevant requests.

I can do the latter with BIND -- by "preloading the cache" with these
records but not with MS DNS.

(I am a big fan of MS DNS but this is one trick I can't perform with it
because it doesn't let me manipulate the DNS server cache manually
as BIND does.)
 
In
Steve Proulx said:
Besides our link to the Internet, we have a private link to our
biggest customer. For the purpose of this explanation, let's call
their domain name xyzcust.com.

So to access www.xyzcust.com (or a variety of their other sites), we
resolve the name and go out through our Internet link to get there.

Through our prival link with them, we have access to some of their
internal systems. They NAT IP addresses for us that are different
from the ones they use. I would like to create DNS entries for these
internal systems to match what they use (e.g. app2.xyzcust.com).

But if I create an xyzcust.com zone on my DNS server, it becomes
authoritative, so the internal systems name resolutions are fine, but
www.xyzcust.com doesn't work anymore.

I was able to do this when we used a Windows NT DNS server, but with
the current Windows 2000 DNS server, I'm not having any success.

Any ideas on this one?
Click to expand...

Create a forward lookup zone using the host names you need, such as
"app2.xyzcust.com" then create a blank host (leave the name field blank)
with the IP address you need. It will bark at you saying (same as parent
folder) is not a valid host name, click OK to create the record anyway. You
will have to do this for every host name, your only other choice is to add
the hostnames and IP to the hosts file on each client. This allows you to do
it one time in DNS and be done with it.
 
I know what you mean. It can be done in UNIX. I just can't believe it
won't work with MS.
 
Very creative. I'll try it. Thanks.

Kevin D. Goodknecht said:
In

Create a forward lookup zone using the host names you need, such as
"app2.xyzcust.com" then create a blank host (leave the name field blank)
with the IP address you need. It will bark at you saying (same as parent
folder) is not a valid host name, click OK to create the record anyway. You
will have to do this for every host name, your only other choice is to add
the hostnames and IP to the hosts file on each client. This allows you to do
it one time in DNS and be done with it.
Click to expand...
 
What would you think about a mixed zone type like a ForwardPrimary zone. It
could have a zone file like a std primary that contains only the overrided
rrs? Forwards like a normal forward zone unless it first finds the answer
in auth zone data?
Just wondering as I have been playing with some code for things like this.
 
I have been lobbying for just having a pre-loadable cache
where no zone is required to load one or a few records
when the zone is really maintained elsewhere.

This can work for blocking, overriding, or supplementing
an existing zone without the admin overheard and confusion
of an extra "zone" for each different domain of records.
 
Yes, but does that not require a max ttl value to keep it in the cache? Not
sure that is best solution overall. Also nothing stops the dns server from
overwriting that cache entry from records in an answer section in another
query. Not sure of what situations would need to happen to do this, but
think this may not work over time in all cases and seems like a brittle
solution to the problem. For testing different things, it would seem to be
a useful feature and would also prefer to have the option.
 
William Stacey said:
Yes, but does that not require a max ttl value to keep it in the cache? Not
sure that is best solution overall.
Click to expand...

Works just fine -- I love them with MAX INTEGER values on each
reboot which pretty much covers it.
Also nothing stops the dns server from
overwriting that cache entry from records in an answer section in another
query.
Click to expand...

These are the equivalent of manual entries and if they are in there,
I don't want them EVER overwritten.

If the records are added this way they really never should be obtained
manually.
Not sure of what situations would need to happen to do this, but
think this may not work over time in all cases and seems like a brittle
solution to the problem. For testing different things, it would seem to be
a useful feature and would also prefer to have the option.
Click to expand...

It's not brittle but yet, I can still agree that SOMEONE will want it to
work the other way around. That however isn't likely to be common.
 
One other think, if I wanted to use "small TTLs" so no one
else would cache the value "infinitely" then I would just set
an appropriate TTL and do a programmit cache refresh from
the pre-load file every so often.

This is another thing I like about the BIND solution: I can
run a text replace through the file, remove an entry using
fast text search tools, add an entry, etc and then just refresh
the cache in about 2 seconds.

I have over 75,000 entries in my preload cache file.
 
These are the equivalent of manual entries and if they are in there,
I don't want them EVER overwritten.
Click to expand...

I understand you don't want them overwitten. The BIND server can and does
overwrite them if it gets answers back with the name in the answer section
during normal operation.
It's not brittle but yet, I can still agree that SOMEONE will want it to
work the other way around. That however isn't likely to be common.
Click to expand...

It can be depending of what is happening. Maybe not for you. You pointed
out one issue is the max ttl, so you force everyone to cache it unless they
trim it down for anything over a week. Auth data is checked first before
cache, so in some cases this may not work as expected. Other potential
things, but would need to think about it more. Naturally, if it works for
you, more power to you.
 
It can be depending of what is happening. Maybe not for you. You pointed
out one issue is the max ttl, so you force everyone to cache it unless they
trim it down for anything over a week. Auth data is checked first before
cache, so in some cases this may not work as expected. Other potential
things, but would need to think about it more. Naturally, if it works for
you, more power to you.
Click to expand...

The server(s) that do this are the only ones that go to the
Internet, so no one can get "authoritative" data except these
servers.
 
Mike said:
But I thought you could have MS DNS preload dns entries, thats how it gets
its servers from the 'Root Hints' tab in the config, at least I think.
Check this:
Click to expand...

Unfortunately it is not a true "cache load" but a (brain dead)
ROOT HINTS only.

Trying to put anything but literally root servers in there is
ineffective.
 
IIRC, named in bind 9.x allows a cache file import, but only recommends
using for testing and development and will probably remove this in future
version. Not sure the hints file can be used with other records either in
Bind 9.x other then root NS records. Have you tried loading other records
into cache from hints? Is that how you are loading your cache? TIA
 
William Stacey said:
IIRC, named in bind 9.x allows a cache file import, but only recommends
using for testing and development and will probably remove this in future
version. Not sure the hints file can be used with other records either in
Bind 9.x other then root NS records. Have you tried loading other records
into cache from hints? Is that how you are loading your cache? TIA
Click to expand...

I use the "saved" cache feature -- saved it once, edited it,
made it read-only so it can never be over-written, unless I
specifically edit it.

So far, every record (tons of A records) that I have tried to
add works.
 
I use the "saved" cache feature -- saved it once, edited it,
made it read-only so it can never be over-written, unless I
specifically edit it.
Click to expand...

What version? Is this the hints file?
 
Back
Top