[Soekris] [OT] DNS Non-delegated local domain behind NATed firewall
The Fungi
fungi at yuggoth.org
Fri Oct 20 16:59:24 UTC 2006
On Fri, Oct 20, 2006 at 06:34:16PM +0200, Bill Maas wrote:
[...]
> (2) the other option, assuming I don't want to contact my ISP for
> domain delegation, is to "claim" mysubdomain.isp.com, declare it
> it a non-delegated isp.com subdomain, and make my DNS server
> locally authoritative for that domain. In principle, this domain
> won't be visible from the outside world, that's as long as I would
> not make any config errors. If I do, then my ISP's DNS admin might
> get annoyed.. It appears to be the more risky option.
The chance that your ISP will happily sub-delegate a portion of one
of their domains to your nameserver is, in my experience working for
service providers, well, very close to zero. However, the chance
that a misconfiguration on your internal nameserver will cause
problems for your ISP is also zero, given that you won't be able to
wrest control of their domain in the TLD and repoint it to your
nameserver anyway (not accidentally, at any rate, nor would it be a
wise move legally for you to attempt such an action).
> Is there any clear policy or guideline on this topic? I've looked
> for an RFC about this subject, but there doesn't seem to be one.
> What is the safest option for domain naming behind a NAT box?
There are somewhat complex split-horizon techniques you can employ
(BIND views, multiple daemons, et cetera) to serve different DNS
records for the same zones to different clients, but this is well
beyond the scope of what it sounds like you need. Since nobody
outside your internal network will ever be querying your nameserver
for any legitimate reason anyway, you can serve whatever you want
from it. The most common technique that should cause you the least
grief is to use a domain that you own and control yourself, or one
that does not and is unlikely to ever exist (by using a bogus TLD
like .local or .yourname or whatever). As for an IETF RFC, I think
you're looking for 2606:
http://ietf.org/rfc/rfc2606.txt
Though it doesn't really give you much other than a list of
top-level and second-level domains which are recommended by the IETF
never to be used on the greater Internet, and as such you should
expect that using them internally will never conflict with anything
you might try to resolve in the "real world."
--
{ IRL(Jeremy_Stanley); PGP(9E8DFF2E4F5995F8FEADDC5829ABF7441FB84657);
SMTP(fungi at yuggoth.org); IRC(fungi at irc.yuggoth.org#ccl); ICQ(114362511);
AIM(dreadazathoth); YAHOO(crawlingchaoslabs); FINGER(fungi at yuggoth.org);
MUD(fungi at katarsis.mudpy.org:6669); WWW(http://fungi.yuggoth.org/); }
More information about the Soekris-tech
mailing list