DNS delegation

C

Chris Burdette

Here is my problem...

I have a domain example.com is authoritve for. Off of that domain are
two child domains office1.example.com and office2.example.com that I
have had our ISP, AT&T, delegate to our internal DNS servers which
are obviously using private IP addresses. During certain periods of
time hosts in the office1 domain can not access hosts in the office2.
However, most of the time, at least 85%, there is no problem. I
talked to our ISP and they said that they should not have this set up
becuase they can not route private IP's, which I know they can't do.
But doesn't the delegation just tell hosts in office1 what server to
go to for name resolution? Also, if this is the wrong configuration,
why does it work at all? One last thing...there is no need for
office2 to access office1 resources.

Thanks for help in advance,
Chris
 
K

Kevin D. Goodknecht Sr. [MVP]

In
Chris Burdette said:
Here is my problem...

I have a domain example.com is authoritve for. Off of
that domain are two child domains office1.example.com and
office2.example.com that I have had our ISP, AT&T,
delegate to our internal DNS servers which are obviously
using private IP addresses. During certain periods of
time hosts in the office1 domain can not access hosts in
the office2. However, most of the time, at least 85%,
there is no problem. I talked to our ISP and they said
that they should not have this set up becuase they can
not route private IP's, which I know they can't do. But
doesn't the delegation just tell hosts in office1 what
server to go to for name resolution? Also, if this is
the wrong configuration, why does it work at all? One
last thing...there is no need for office2 to access
office1 resources.
Click to expand...

How is your internal DNS set up, are the delegations setup in the internal
DNS?
 
J

Jeff Cochran

I have a domain example.com is authoritve for. Off of that domain are
two child domains office1.example.com and office2.example.com that I
have had our ISP, AT&T, delegate to our internal DNS servers which
are obviously using private IP addresses. During certain periods of
time hosts in the office1 domain can not access hosts in the office2.
However, most of the time, at least 85%, there is no problem. I
talked to our ISP and they said that they should not have this set up
becuase they can not route private IP's, which I know they can't do.
But doesn't the delegation just tell hosts in office1 what server to
go to for name resolution? Also, if this is the wrong configuration,
why does it work at all? One last thing...there is no need for
office2 to access office1 resources.
Click to expand...

If you were authoritative for example.com, you're automatically
authoritative for all subdomains you don't delegate elsewhere. If
your subdomain use private IP's they aren't accessible to your ISP
unless you NAT them to public IP's so there shouldn't be a delegation
there either.

But your issue is one of "cannot access" not "cannot resolve" so it's
not yet a DNS issue. I'd suspect a lot of your DNS and the rest of
your networking is confusing if you're trying to route subdomains of
the same domain using private address space through the internet.

Might explain a bit more about your configuration and your exact
problem.

Jeff
 
C

Chris Burdette

If you were authoritative for example.com, you're automatically
authoritative for all subdomains you don't delegate elsewhere. If
your subdomain use private IP's they aren't accessible to your ISP
unless you NAT them to public IP's so there shouldn't be a delegation
there either.

But your issue is one of "cannot access" not "cannot resolve" so it's
not yet a DNS issue. I'd suspect a lot of your DNS and the rest of
your networking is confusing if you're trying to route subdomains of
the same domain using private address space through the internet.

Might explain a bit more about your configuration and your exact
problem.

Jeff
Click to expand...


Jeff,

I understand your point about "cannot access" and "cannot resolve" As
far as our network goes, it is in good shape. As mentioned in the
original posting, our ISP is authoritative for example.com. I think
the question I have really is what really happens when an internal
user wants to access a resource by name in the office2.example.com.
Does office1.example.com ask the authority of example.com where
office2 is? Then does example reply the the IP address of the dns
server for office2 or does it just pass the query to office2. If it
is passing the query, then I totally understand why it should not work
at all. But the next question becomes, why does it work at all?

Chris
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Public DNS server name/SOA issue 2
child domains and dns design 5
delegating a subdomain (NS records) 5
Lan DNS Issue 7
DNS,AD, and email addressing 2
DNS Problem 11
Access mydomain.com (shared hosting) while in network mydomain.com 6
DNS config best practis? 4

Top