1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Odd DNS setup

Discussion in 'Networks' started by zebulebu, Mar 11, 2008.

  1. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Maybe my experience has been a little bit sheltered, but something in my new role has been bothering me for a while - I just thought I'd share and see if anyone else finds it odd.

    We are a US/UK company - we manage our own local domain namespace in the forest, including some forward lookup zones for internal web services and the like. Nothing wrong with that - and certainly nothing that I haven't seen before - except that, in addition to the usual 'local' domains & subdomains we also have an internal forward lookup zone configured for what should be a fully resolvable external domain. To illustrate this better, I've set out what our Nameservers hold here:

    uk.mycompany.local
    - dev.mycompany.local
    - admin.mycompany.local
    - dev.lon.mycompany.co.uk

    Now that would normally set alarm bells ringing for me, but the domain isn't resolvable from external DNS, and is used purely for internal access to some development web servers (believe me I've tested it!). Anybody else think this is just a tad odd, or have I just come across something that is regularly implemented elsewhere for the first time myself?

    I only ask really because today I had to set up resolution of a server on the 'oddball' domain for some of our US users - which required conditional forwarding to be set up for this domain on the US nameservers pointing to the authoritative server for the forward lookup zone.
     
    Certifications: A few
    WIP: None - f*** 'em
  2. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    The only time I have had to set up something like this when the companies web servers are sitting in their own DMZ therefore clients on the LAN need to resolve the URL to the LAN IP rather than the external IP address.

    Is this being configured just so that all the DNS requests are resolving to LAN IPs for the URLs? Seems complicated! :biggrin
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  3. Wassup

    Wassup Byte Poster

    244
    4
    10
    why is that odd?
    if the .local only points to the internal lookup zone that why would it be accessible from the external DNS?

    you did say *should be* fully resolvable? ... "should" being the operative word. :)
     
  4. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    Think Zeb was referring to the .co.uk domain, could be wrong though. :biggrin
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  5. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Yeah - I've seen that before as well. In fact, a company I consulted at about three years ago had that exact setup - but had DNS so munged that all their internal web servers as well as their DMZ ones were accessible from the outside world... and they wondered why their bandwidth was being caned! Well, open FTP servers hosting warez for three months will do that for ya :biggrin

    Its configured because the internal admin side of the web services we run relies on a domain cookie being generated that will ONLY permit access to resources if it contains the 'dev.lon.mycompany.co.uk' string somewhere. The devs say that its impossible to re-architect the solution to use a truly internal namespace and I ain't arguing with them - after all they're devs - a gaggle of them surrounded me in the breakout area today whilst I was making coffee - it sent a shiver down my spine!

    I just thought it was odd but wondered if it was something that somebody on here might have seen pretty regularly and I just hadn't been exposed to it before. The US guys seemed puzzled by the setup too, so I guess its just one of those anomalies.
     
    Certifications: A few
    WIP: None - f*** 'em
  6. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Yeps. Just that one.
     
    Certifications: A few
    WIP: None - f*** 'em
  7. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    Just tell them to run a ‘Find and replace’ in their source code. Replace .co.uk with .local and that should be it. Easy!

    Always takes the network guys to get the job done! :biggrin :biggrin
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  8. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Yeah, tried that line with them - but apparently that's been attempted before with disastrous consequences. I think what they need is a 100% dev environment to work on that they can sod around with - but because its never been a real issue for them they've never really pushed for it. TBH I can't see any major work being done on it as we're going to be moving over to a US-developed production environment soon that won't suffer from this issue. Hey ho!
     
    Certifications: A few
    WIP: None - f*** 'em
  9. dmarsh

    dmarsh Terabyte Poster

    3,782
    302
    184
    Well its just a fecking string isn't it ? :biggrin

    We're all just talking about a sensible naming convention, the computers don't really give a monkeys as long as they can resolve it in the DNS tree. They probably already had the company domain for general use, they can create internal sub domains of this domain if they want. I guess it is gonna make administration harder and less self evident which is a bad thing in general.

    Yes sounds like the dev team should be able to fix it, but in reality its often not worth the bother on some systems, you'd be surprised how much spagetti code gets written with domains, cookies and SSO. It really shouldn't be that way, but it often is, in fact web development seems to actively attract that kind of development...

    Once the codes in a bad state any attempt to fix it stands the risk of making things even worse, for the sake of one DNS entry its probably not worth it, especially if its not a system with a decent shelf life...

    You think developers are bad ! You should try asking for admin access to you dev box and see how friendly the IT support people are ! You'd be surprised how many companies don't set up official Dev or R&D networks and try to treat developers like users, you try writing code on a locked down system ! This invariably leads to 'unofficial' dev networks... go figure...

    So how did they set up the domain to be in the DNS tree but be non resolvable externally ? I take it the company domain is in a publically available DNS server ? What stops the resolver for the sub domain, a firewall rule ? Or do they have a public DNS server and a private DNS server and omit the NS records from the public one ?
     
    Certifications: CITP, BSc, HND, SCJP, SCJD, SCWCD, SCBCD, SCEA, N+, Sec+, Proj+, Server+, Linux+, MCTS, MCPD, MCSA, MCITP, CCDH

Share This Page

Loading...