On Mon, Apr 10, 2006 at 11:18:00AM -0400, Lee Sweet wrote:
> Situation: Branch office of ours needs to connect to home office for
> email and other resources. They use Cisco VPN client version
> connecting to Cisco 3000 concentrators. They also need
> to have simultaneous access to local resources.
> Problem: The DNS issue is that their primary DNS (when not using
> VPN) is usually the local internal (inside the firewall) one. It has
> a number of entries that are not in the one the VPN client points
> too, the home office internal nameserver.
> So, when they are connected to the home office, name resolution
> requests for local resources fail. (Host name or FQDN, doesn't
> matter, of course, since it's using the home DNS.)
> Cisco seems to think the sort of split DNS resolution we want is
> doable, so "it's a problem with the DNS config at that site".


This is a common DNS problem. The answer is that if you have the same
DNS domain inside and outside the split, you have to copy IN, all
external DNS entries that you want resolvable internally. It's
generally held that the best solution, if politically acceptable, is to
have a subdomain INSIDE the firewall or other split. (Having the main
domain copied inside means that you also have to copy all subdomain
delegations inside, which is a pain.)

This is probably answered several times a year on the bind-users mailing

Joe Yao
This message is not an official statement of OSIS Center policies.
VPN mailing list