NAT Reflection, or Split DNS?

Question

I'm working on a network restructure that has three geographical locations, but will share some services. Two of the locations have workstations, and one has only servers (in a CoLo facility). We will be running PfSense firewalls, and several hosts will provide services inside the LAN and through port-forwards to the internet.

It doesn't seem like it would be worth the hassle to run 4 different DNS views in bind, but it sounds like the load and configuration overhead in PfSense to utilize NAT Reflection would be considerable. What are the caveats to each, or is there another option?

Answer 1

After getting PfSense installed and running, it turns out that this is a non issue; I can keep the DNS records the same everywhere, and use PfSense's DNS Forwarder and Override to filter and fix the addresses for hosts located on the same private network. Win!

Answer 2

How about setting up one domain per host? We use :

• .syd.int.companyname.com
• .lsa.int.companyname.com

Where there is a 3 letter code for each location. So when the user hits "mail" for example, it will use the domain to resolve the local mail host . Sometimes CNAMES are used across domains when there is only one central version of a service.

Both NAT reflection and split-DNS are possible to do and will solve your problem but they are more complex to maintain and trickier to debug.

Stupid question but - why do you need to serve different DNS results anyway? Is there a star topology VPN between all the sites or to the colo from all sites and can't you therefore resolve the same IPs in each zone?