DNS for just the office ?
November 13, 2008 5:07 PM Subscribe
What is the best solution to provide 'local DNS' for an office which has outgrown a hosts file solution ?
We have a domain, say foo.com. We use ZoneEdit to provide DNS for the domain (including numerous sub-domains).
Within the office to allow machines/applications to be named we have used hosts file but this is no longer practicable (unless there's some means of automating hosts distribution).
All machines in the office are using 192.168.10.x IP's and, I presume, this means that we couldn't put the sub-domains on ZoneEdit even if we wanted to.
I feel like we should be able to run a DNS server which the local machines can use as a 'DNS server of first-resort' and then if the name is not resolved the DNS request can go onto our standard DNS servers which will resolve everything that isn't resolved by the 'office DNS' server. Hence onlyforuseintheoffice.foo.com would be resolved to 192.168.10.1 but thewholeworldneedsthis.com would not be known to the local DNS server and would go out to the I'net to get resolved (by virtue of the ZoneEdit servers)
Finally the question(s) !
1. Can we 'split' responsibility for the domain in this way ?
2. There's 'Simple DNS Plus' and there's the stuff that's built into Window 2003 - any experiences of doing what I describe with either ?
3. Is there a simpler 'non-DNS server' way I've overlooked ?
We have a domain, say foo.com. We use ZoneEdit to provide DNS for the domain (including numerous sub-domains).
Within the office to allow machines/applications to be named we have used hosts file but this is no longer practicable (unless there's some means of automating hosts distribution).
All machines in the office are using 192.168.10.x IP's and, I presume, this means that we couldn't put the sub-domains on ZoneEdit even if we wanted to.
I feel like we should be able to run a DNS server which the local machines can use as a 'DNS server of first-resort' and then if the name is not resolved the DNS request can go onto our standard DNS servers which will resolve everything that isn't resolved by the 'office DNS' server. Hence onlyforuseintheoffice.foo.com would be resolved to 192.168.10.1 but thewholeworldneedsthis.com would not be known to the local DNS server and would go out to the I'net to get resolved (by virtue of the ZoneEdit servers)
Finally the question(s) !
1. Can we 'split' responsibility for the domain in this way ?
2. There's 'Simple DNS Plus' and there's the stuff that's built into Window 2003 - any experiences of doing what I describe with either ?
3. Is there a simpler 'non-DNS server' way I've overlooked ?
If you control the nameserver, you can create A records for all names. If you share the nameserver with other people, you can't create PTR records for those IP addresses, though. (They might get mad. No technical reason.)
I say you should grab a cheap ($200) computer, put Ubuntu (free) on it, and then install some DNS server like "dnsmasq" (free). It should take about 45 minutes, plus about 2 hours to have something working for DNS -- assuming you know enough about DNS to know what I meant about "A records" and "PTR records". Else, telephone down to the university computer lab and offer a case of beer for someone who knows DNS to come set it up. Maybe point to opendns as the upsteam recursive resolver -- recursing to the same server as your authority for public names you care about is a recipe for being the last people in the world to learn about problems with your domains.
Also with the Ubuntu box, you should consider using a DHCP server to dole out the stations' addresses and assign the DNS server. ("dnsmasq" does this too!) You'll marvel at how well it works in a year and sit around telling yarns about the bad old days.
posted by cmiller at 5:46 PM on November 13, 2008
I say you should grab a cheap ($200) computer, put Ubuntu (free) on it, and then install some DNS server like "dnsmasq" (free). It should take about 45 minutes, plus about 2 hours to have something working for DNS -- assuming you know enough about DNS to know what I meant about "A records" and "PTR records". Else, telephone down to the university computer lab and offer a case of beer for someone who knows DNS to come set it up. Maybe point to opendns as the upsteam recursive resolver -- recursing to the same server as your authority for public names you care about is a recipe for being the last people in the world to learn about problems with your domains.
Also with the Ubuntu box, you should consider using a DHCP server to dole out the stations' addresses and assign the DNS server. ("dnsmasq" does this too!) You'll marvel at how well it works in a year and sit around telling yarns about the bad old days.
posted by cmiller at 5:46 PM on November 13, 2008
I was going to suggest the same as cmiller, but using BIND instead of dnsmasq...
posted by mjg123 at 5:52 PM on November 13, 2008
posted by mjg123 at 5:52 PM on November 13, 2008
Response by poster: cmiller and mjg123 thanks for suggestions but primarily what I'm trying to understand is can I run a DNS server which will 'know' about some parts of a domain and not others ? Hence the 'office DNS' server would know about those sub-domains of foo.com which resolve to IP addresses within the LAN whereas the ZoneEdit DNS server would know about all other sub-domains of foo.com ?
posted by southof40 at 6:03 PM on November 13, 2008
posted by southof40 at 6:03 PM on November 13, 2008
southof40, if the machines are all in their own subdomain, then yes, that's pretty easy. I think you want a "split" DNS setup, but you can probably get by with a normal one, as long as the existence of internal hostnames isn't something you need to keep secret from the outside world. Just get a cheap obsolete machine and put Linux and BIND on it.
posted by hattifattener at 6:18 PM on November 13, 2008
posted by hattifattener at 6:18 PM on November 13, 2008
If you've got a router running Tomato, you can configure dnsmasq to intercept all DNS requests and return your own hosts if they exist.
posted by Jairus at 7:05 PM on November 13, 2008
posted by Jairus at 7:05 PM on November 13, 2008
If you've already got W2k3, there's no reason at all you couldn't use its inbuilt DNS server. It doesn't use anything resembling standard zone files but the GUI is fairly straightforward. Two nice things in favour of doing this: you don't have to set up very many host records, since Windows will automatically create DNS entries for all workstations in your Windows domain, using their existing Windows computer names as hostnames; and all you have to do is create the reverse DNS zone and it will get automatically populated for you.
Point W2k3's DNS Forwarding at your existing DNS server, set the DHCP server to hand out the W2k3 box's IP address for DNS, and everything should Just Work.
As for what domain you make it authoritative for, you have a couple of good choices. I like to use subdomains of ".lan" or ".local" top-level domains for this, so I end up with host names like "curricserver.curric.local"; but there's also no reason you shouldn't use some subdomain of your existing externally-visible domain, maybe "internal.ourcompany.com" or "lan.ourcompany.com" or whatever. If you've got more than one LAN, give each one its own uniquely named subdomain.
posted by flabdablet at 8:38 PM on November 13, 2008
Point W2k3's DNS Forwarding at your existing DNS server, set the DHCP server to hand out the W2k3 box's IP address for DNS, and everything should Just Work.
As for what domain you make it authoritative for, you have a couple of good choices. I like to use subdomains of ".lan" or ".local" top-level domains for this, so I end up with host names like "curricserver.curric.local"; but there's also no reason you shouldn't use some subdomain of your existing externally-visible domain, maybe "internal.ourcompany.com" or "lan.ourcompany.com" or whatever. If you've got more than one LAN, give each one its own uniquely named subdomain.
posted by flabdablet at 8:38 PM on November 13, 2008
Seconding what flabdablet said. This is actually really easy, especially if you already have a Windows server.
As long as you create a separate subdomain for your internal network, you don't even have to setup forwarding on the Windows DNS server. As long as you have Internet access in the office, your DNS server will query any external DNS servers automatically, including the ones at ZoneEdit for your external domains.
posted by cnc at 11:21 PM on November 13, 2008
As long as you create a separate subdomain for your internal network, you don't even have to setup forwarding on the Windows DNS server. As long as you have Internet access in the office, your DNS server will query any external DNS servers automatically, including the ones at ZoneEdit for your external domains.
posted by cnc at 11:21 PM on November 13, 2008
Find a DNS hosting website you like. Godaddy works, but there are others that maybe have faster interfaces.
Let them host your names in some whatever.com.
Add whatever.com to everyone's DNS suffix searchlist.
Go back to doing real work :)
(In all seriousness, MSDNS and even BIND are relatively easy to work with, but why hassle?)
posted by effugas at 1:24 AM on November 14, 2008
Let them host your names in some whatever.com.
Add whatever.com to everyone's DNS suffix searchlist.
Go back to doing real work :)
(In all seriousness, MSDNS and even BIND are relatively easy to work with, but why hassle?)
posted by effugas at 1:24 AM on November 14, 2008
Response by poster: Thanks for all your advice. In reading it I came to understand that I had misunderstood something pretty important - for some reason I thought 'private IP' address ranges (eg 192.168.10.x) could not be resolved by DNS servers outside the local network. Now that I've got over that effugas' suggestion looks pretty good.
Also like the idea of putting dnsmasq on Tomato as we already run routers which would run Tomato.
No favourites but thanks to all for the useful advice.
posted by southof40 at 11:50 PM on November 14, 2008
Also like the idea of putting dnsmasq on Tomato as we already run routers which would run Tomato.
No favourites but thanks to all for the useful advice.
posted by southof40 at 11:50 PM on November 14, 2008
Using a non-local DNS server to return private-range IP's certainly works, but in my opinion is not a good idea.
Nobody outside your LAN can connect to the private-IP hosts inside it. If you give all those hosts DNS names that are visible to the world, then attempts to connect to them will cause a successful DNS lookup, followed by an attempt to connect to some private IP - and if that private IP happens to be one in use on whatever LAN the connecting host is also sitting on, confusion will undoubtedly happen.
And if the two LANs concerned are both within your org, this kind of gratuitous confusion is something your IT help desk really doesn't want to be dealing with.
Far, far better to avoid that confusion by giving your LAN-only-accessible hosts LAN-only-accessible DNS names as well, which is easily done by running a local DNS server on the LAN itself.
posted by flabdablet at 4:30 PM on November 15, 2008
Nobody outside your LAN can connect to the private-IP hosts inside it. If you give all those hosts DNS names that are visible to the world, then attempts to connect to them will cause a successful DNS lookup, followed by an attempt to connect to some private IP - and if that private IP happens to be one in use on whatever LAN the connecting host is also sitting on, confusion will undoubtedly happen.
And if the two LANs concerned are both within your org, this kind of gratuitous confusion is something your IT help desk really doesn't want to be dealing with.
Far, far better to avoid that confusion by giving your LAN-only-accessible hosts LAN-only-accessible DNS names as well, which is easily done by running a local DNS server on the LAN itself.
posted by flabdablet at 4:30 PM on November 15, 2008
This thread is closed to new comments.
would be resolved to 192.168.10.1 but thewholeworldneedsthis.com would not be
... should read ...
would be resolved to 192.168.10.1 but thewholeworldneedsthis.foo.com would not be
... but maybe that was obvious ?
posted by southof40 at 5:11 PM on November 13, 2008