Everyone, I have a customer that is multihomed, to a public ISP and to another large network that uses 10.0.0.0 address space. The private address space also has services available via public address space and consequently is running a split DNS service, public and private. Because of firewalls and the placement of DNS servers this customer has a nasty routing situation and in order to make DNS work for the private numbers, has spoofed the domain of the private network. My question is this: are there any documents or RFCs that outline what is an acceptable practice for running DNS and what is not? Their kluge of a network causes continuous problems for both the upstream ISP and the private network to which they are connecting and we may find ourselves in a situation where we have to say that 'xyz' is an acceptable way of operating and 'abc' is not. Any advice is appreciated. Thanks! Dan Lockwood
Dan Lockwood wrote:
Everyone,
I have a customer that is multihomed, to a public ISP and to another large network that uses 10.0.0.0 address space. The private address space also has services available via public address space and consequently is running a split DNS service, public and private. Because of firewalls and the placement of DNS servers this customer has a nasty routing situation and in order to make DNS work for the private numbers, has spoofed the domain of the private network. My question is this: are there any documents or RFCs that outline what is an acceptable practice for running DNS and what is not? Their kluge of a network causes continuous problems for both the upstream ISP and the private network to which they are connecting and we may find ourselves in a situation where we have to say that 'xyz' is an acceptable way of operating and 'abc' is not. Any advice is appreciated. Thanks!
As you have probably realized, shooting yourself in the foot does hurt. Unfortunately not all textbooks warn about it but recommend doing large implementations of 1918 space. I would change the services to be dual-addressed, with both public and private addresses, it should fix most issues that bother users with real addresses. The ones on 10/8 addresses are supposed to experience degraded accessibility, so it's a feature there. In any case, the policy is that you're not supposed to leak anything on the headers nor the payload that contains 1918 addresses. In practice it does not work that way. (unfortunately) Pete
Hello... Dan Lockwood wrote:
Everyone,
I have a customer that is multihomed, to a public ISP and to another large network that uses 10.0.0.0 address space. The private address
The other large network is, IMHO, broken for doing this. The address space is no longer 'private'.
space also has services available via public address space and consequently is running a split DNS service, public and private. Because of firewalls and the placement of DNS servers this customer has a nasty routing situation and in order to make DNS work for the private numbers, has spoofed the domain of the private network. My question is
Have you thought about DNS 'forwarding' ? something like this in your DNS server: zone "broken.company" { type forward; forwarders { 10.0.0.1; 10.0.0.2; // first using private address space publicly // then not even putting DNS on seperate networks // lamers }; }; instead of running their zone locally?
this: are there any documents or RFCs that outline what is an acceptable practice for running DNS and what is not? Their kluge of a network
IMHO, this is a broken network issue not really a DNS issue.
causes continuous problems for both the upstream ISP and the private network to which they are connecting and we may find ourselves in a situation where we have to say that 'xyz' is an acceptable way of operating and 'abc' is not. Any advice is appreciated. Thanks!
Dan Lockwood
And please don't post in HTML. -- Christopher McCrory "The guy that keeps the servers running" chrismcc@pricegrabber.com http://www.pricegrabber.com Let's face it, there's no Hollow Earth, no robots, and no 'mute rays.' And even if there were, waxed paper is no defense. I tried it. Only tinfoil works.
On Wed, 11 Sep 2002, Dan Lockwood wrote:
Everyone,
I have a customer that is multihomed, to a public ISP and to another large network that uses 10.0.0.0 address space. The private address space also has services available via public address space and consequently is running a split DNS service, public and private. Because of firewalls and the placement of DNS servers this customer has a nasty routing situation and in order to make DNS work for the private
I assume the "public ISP" provides another route to the "large network" where the services are hosted in case the direct link fails? Is it possible to tunnel from your net over the "public ISP" to the "large network" thereby keeping your private nets off the public ones? You wouldnt need the DNS fix then either? Steve
numbers, has spoofed the domain of the private network. My question is this: are there any documents or RFCs that outline what is an acceptable practice for running DNS and what is not? Their kluge of a network causes continuous problems for both the upstream ISP and the private network to which they are connecting and we may find ourselves in a situation where we have to say that 'xyz' is an acceptable way of operating and 'abc' is not. Any advice is appreciated. Thanks!
Dan Lockwood
Hi Dan, I could recommend you the use views in bind. This feature in bind you could answer according to the origen of the ask. With a good dns cfg you could resolve a big part of your problems. Regards, Daniel On Wednesday 11 September 2002 17:34, Dan Lockwood wrote:
Everyone,
I have a customer that is multihomed, to a public ISP and to another large network that uses 10.0.0.0 address space. The private address space also has services available via public address space and consequently is running a split DNS service, public and private. Because of firewalls and the placement of DNS servers this customer has a nasty routing situation and in order to make DNS work for the private numbers, has spoofed the domain of the private network. My question is this: are there any documents or RFCs that outline what is an acceptable practice for running DNS and what is not? Their kluge of a network causes continuous problems for both the upstream ISP and the private network to which they are connecting and we may find ourselves in a situation where we have to say that 'xyz' is an acceptable way of operating and 'abc' is not. Any advice is appreciated. Thanks!
Dan Lockwood
participants (5)
-
Christopher McCrory -
Dan Lockwood -
Daniel Concepcion -
Petri Helenius -
Stephen J. Wilcox