Home / server / Questions / 251309
Accepted
grantk
Asked: 2011-03-25 05:35:58 +0800 CST

dns for internal websites

  • 772

I am running split dns and generally have access to my sites internally.

The exception comes when I am hosting a site that is not under my main domain.

I can set up external and internal dns entries for anything I have at *.example.com and reach these sites both internally and externally.

My problem comes with sites not under *.example.com

Say I have just set up test.com, It has an internal ip of say 192.168.1.55. I threw the test.com address in an extrenal browser and I see what I want.

So If I try giving test.com an A and PTR entry pointing to the 192.168.1.55 address in my internal dns that does not work.

I am sure there is a fantastic reason for this as you would not want others hijacking your domain, but I would also like my internal users to see these sites.

Can anyone point me in the right direction?

domain-name-system bind

4 Answers

  1. You cant just add an arbitary A record to your dns server and have it resolve to a particular address. You could create a new zone on your dns server but that will break all the addresses for test.com and not just the one you are trying to spoof. If your goal is to point test.com at 192.168.1.55 while testing on a set of boxes you can modify /etc/hosts on linux and mac and the hosts file on windows (http://www.ehow.com/how_5225562_edit-windows-hosts-file.html). That will give you a good way to test.

    Now if you are are trying to deal with this in prod, you likely need to take another look at your architecture and find a solution that doesn't include messing with dns.

    • 1

  2. Using something like DNSMasq to act as your internal DNS server would allow you to add the entry to one hosts file. It can be configured to point at your split DNS server or to act as a cache on its own.

    • 0

  3. cwebber is correct about setting up a zone file in bind. He mentions this flaw:

    You could create a new zone on your dns server but that will break all the addresses for test.com and not just the one you are trying to spoof.

    The way to work around this is to set up zone files for each name you wish to control, e.g. create a zone file for foo.test.com, not test.com.

    • 0
  4. Best Answer

    I don't know if I'm just grossly misunderstanding the real issue here, but if they're just going to be for internal use only, why not make a new zone for internal use only? For example, you could make an "int" zone and make A and PTR records for your website in there like myinternalsite.int could point to 192.168.1.55. All of our company's internal sites are in the "cs" zone, like at sitename.cs and so only internal people can access them, or remote people need to connect to the VPN. Hope that provides some ideas for you.

    • 0