Hi there, let me first describe our network layout. We have our main office network of 192.21.x.x with machines configured to live on domain.com--we then have international offices running as 192.41.x.x/ch.domain.com , 192.85.x.x/hkg.domain.com , 192.97.x.x/dbx.domain.com

Each site has it's own gateway running bind (as well as VPN links) being the master of it's own subdomain.

This works great on a per site basis, so for example the mail server in Switzerland may be called mail.ch.domain.com an internally on the Swiss site that will resolve to 192.41.0.1 -- great, and as far as internet based requests go, anything on ch.domain.com will resolve to the router IP of the Swiss site (where the router will direct traffic depending on type, source etc). So where is the issue? Lets say we have an internal web server on the main site, 192.21.0.100 / internal.domain.com -- if a user in the Swiss office types internal.domain.com in their web browser it trys to access that address via the internet rather than resolving it internally (therefore access is denied).

I suppose we could run all DNS from the main office but then takes away the resilience (e.g. if any one site falls over the other sites continue to run). The only interim solution I have found (and tested on one site it seems without problems) is to have the branch site running it's own subdomain as the master, and then to have domain.com and other subdomains of domain.com running as slaves. This works well on the one site where I ran a pilot, but I'm concerned that this may be seen as sloppy or have consequences of which I am not aware.

I'm hoping some DNS guru's can give their opinions. If possible I would like to avoid completely restructuring the companies DNS configuration as overall it works (and if it's not broken don't fix it!).

I hope that all made sense and look forward to some replys.

I would create forward statements in named.conf for each of those domains on each remote dns server. Then add two views; one view for public internet use and another view to allow permission only for the static network addresses that you have.

In the named.conf of each server you can create the zone definition with an file declaring the SOA and at the bottom of the zone definition simply add:

zone "ch.domain.com {
...
...
forward {192.41.0.1;} ;
};

That way if someone in dbx.domain.com tries to query

mainprinter.ch.domain.com

then it will forward that query to the assigned dns server for that zone. Since the local zone file will be empty then it will alwasy forward there. Make sure you setup the views with the correct permission.

Thanks, I'll need to read up on views because I have never heard of them

Is there an inherrent problem with the method I described? I thought one bonus with it would be that even if the DNS service on a site went down, the other sites could still resolve machines on that site using their cached slave zones?

The 5th edition of BIND/DNS by Cricket is out. It just came out a few months ago. I would highly recommend it.

Views allow you to set different permissions according to the network addresses. This is useful when you want branch offices to be able to query intranet servers. For further security you can use DNSSEC with key encryption. You can then create a separate public view for everybody else that may need to access only your public mail and web server, for example.

Instead of using forward {} statement as I described above you can also create slave servers. Additionally, you can colocate two slave servers on separate colocations as the central servers for all your company domains and then have all your unresolved queries for your domains point to them.