"www.ttdown.com" wrote:

> >We are currenlty connected to another company via a LAN-to-LAN vpn
>>>with limited access to some of their resources. We are trying to
>>>setup DNS for our local clients to access these resources through our
>>>DNS servers. However, this company also has their domain name
>>>available to the internet. For example, example.com is there domain.
>>>We want to access test.example.com through the VPN, but we want to
>>>access home.example.com via the internet.
>>>Basically, I would like to selectively resolve some records for a
>>>domain one way and for the other records within that domain, have
>>>internet DNS records resolve it. Is it possible to do this with Bind
>>>9 or Windows 2003 DNS?

and I replied:

>> There are two separate issues here. The first concerns which DNS server
>> to query, and the second concerns what TCP/IP routing to use to get to
>> the server in question. If test.example.com is on a different subnet
>> than home.example.com, then you can configure your routers accordingly.
>> With respect to DNS, can your DNS server(s) be slaves for the
>> example.com
>> zone(s)? I can not give a more detailed answer without knowing more
>> specifics about your configuration and the subnets involved.

"www.ttdown.com" replied:

>hi Barry,
>i am actually trying to configure something very similar, i believe.
>i have remote offices that are connected to the home office via VPN
>tunnels. the remote offices have slave name servers on each office
>network. i am trying to configure the remote office name servers to
>use the public facing (SOA) name server as a forwarder for the zone,
>and then fall back on it's local internal slave file if the public
>facing server doesn't have an entry for that query.
>the flow i'm trying to accomplish is like this (and this is what i am
>currently *trying* to get working):
>looking up a host that has a DMZ address:
> 1. user in a remote office looks up "mail.domain.com"
> 2. the remote office name server forwards the request to the
>external name server
> for the zone.
> 3. an entry is found, so the slave server sends the answer to the user.
>looking up an internal host that has no DMZ address:
> 1. user in a remote office looks up "private.domain.com"
> 2. the remote office name server forwards the request to the
>external name server
> for the zone.
> 3. no entry is found
> 4. slave server then looks at it's local slave copy of the zone "domain.com"
> 5. an entry is found, the slave returns the local (VPN) answer to the user.
>i am trying to keep from maintaining more than two zones files
>(internal and external) for this domain. the whole reason for this
>mess was an effort to build a more reliable DNS setup that isn't a
>pain to maintain (like it is now).
>i know there has got to be a way to accomplish this without resorting
>to routing foo/other trickery, but it's really just escaping me. is
>it possible to configure bind to try multiple name servers until it
>gets an answer?
>i appreciate your assistance and your time,

I am not sure that what you want to do is doable. If I correctly
interpret what you wrote, you want internal hosts to query an external
nameserver. If the hostname is not found, then you want to query
a local nameserver to locate the information. That is not how DNS
operates. If a queried nameserver is unaccessible, then DNS will query
another nameserver, providing that there is a second nameserver
configured. But if the first nameserver returns NXDOMAIN (the record
you requested is not in DNS), then the result returned to the client is
NXDOMAIN. The DNS protocol is not set up to look elsewhere for the
record, especially if the first nameserver returns NXDOMAIN

I have not used DNS forwarders, and from the postings I have seen on
bind-users, I try to avoid them.

How different are the external and internal views?
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory Phone: +1 (630) 252-7277
9700 South Cass Avenue Facsimile:+1 (630) 252-4601
Building 222, Room D209 Internet: BSFinkel@anl.gov
Argonne, IL 60439-4828 IBMMAIL: I1004994