Odd DNS setup

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Maybe my experience has been a little bit sheltered, but something in my new role has been bothering me for a while - I just thought I'd share and see if anyone else finds it odd.

We are a US/UK company - we manage our own local domain namespace in the forest, including some forward lookup zones for internal web services and the like. Nothing wrong with that - and certainly nothing that I haven't seen before - except that, in addition to the usual 'local' domains & subdomains we also have an internal forward lookup zone configured for what should be a fully resolvable external domain. To illustrate this better, I've set out what our Nameservers hold here:

uk.mycompany.local
- dev.mycompany.local
- admin.mycompany.local
- dev.lon.mycompany.co.uk

Now that would normally set alarm bells ringing for me, but the domain isn't resolvable from external DNS, and is used purely for internal access to some development web servers (believe me I've tested it!). Anybody else think this is just a tad odd, or have I just come across something that is regularly implemented elsewhere for the first time myself?

I only ask really because today I had to set up resolution of a server on the 'oddball' domain for some of our US users - which required conditional forwarding to be set up for this domain on the US nameservers pointing to the authoritative server for the forward lookup zone.

 

why is that odd?
if the .local only points to the internal lookup zone that why would it be accessible from the external DNS?

you did say *should be* fully resolvable? ... "should" being the operative word.

 

Yeah - I've seen that before as well. In fact, a company I consulted at about three years ago had that exact setup - but had DNS so munged that all their internal web servers as well as their DMZ ones were accessible from the outside world... and they wondered why their bandwidth was being caned! Well, open FTP servers hosting warez for three months will do that for ya

Its configured because the internal admin side of the web services we run relies on a domain cookie being generated that will ONLY permit access to resources if it contains the 'dev.lon.mycompany.co.uk' string somewhere. The devs say that its impossible to re-architect the solution to use a truly internal namespace and I ain't arguing with them - after all they're devs - a gaggle of them surrounded me in the breakout area today whilst I was making coffee - it sent a shiver down my spine!

I just thought it was odd but wondered if it was something that somebody on here might have seen pretty regularly and I just hadn't been exposed to it before. The US guys seemed puzzled by the setup too, so I guess its just one of those anomalies.

 

Yeps. Just that one.

 

Yeah, tried that line with them - but apparently that's been attempted before with disastrous consequences. I think what they need is a 100% dev environment to work on that they can sod around with - but because its never been a real issue for them they've never really pushed for it. TBH I can't see any major work being done on it as we're going to be moving over to a US-developed production environment soon that won't suffer from this issue. Hey ho!

 

Well its just a fecking string isn't it ?

We're all just talking about a sensible naming convention, the computers don't really give a monkeys as long as they can resolve it in the DNS tree. They probably already had the company domain for general use, they can create internal sub domains of this domain if they want. I guess it is gonna make administration harder and less self evident which is a bad thing in general.

Yes sounds like the dev team should be able to fix it, but in reality its often not worth the bother on some systems, you'd be surprised how much spagetti code gets written with domains, cookies and SSO. It really shouldn't be that way, but it often is, in fact web development seems to actively attract that kind of development...

Once the codes in a bad state any attempt to fix it stands the risk of making things even worse, for the sake of one DNS entry its probably not worth it, especially if its not a system with a decent shelf life...

You think developers are bad ! You should try asking for admin access to you dev box and see how friendly the IT support people are ! You'd be surprised how many companies don't set up official Dev or R&D networks and try to treat developers like users, you try writing code on a locked down system ! This invariably leads to 'unofficial' dev networks... go figure...

So how did they set up the domain to be in the DNS tree but be non resolvable externally ? I take it the company domain is in a publically available DNS server ? What stops the resolver for the sub domain, a firewall rule ? Or do they have a public DNS server and a private DNS server and omit the NS records from the public one ?