0

I have a domain with four name servers (Two behind a Firewall and two on the public network). We were required to have two of the servers behind the firewall. It's causing issues when bringing new equipment online because it sometimes needs to happen before firewall exceptions can be implemented.

If I configure devices which use LDAP authentication to point at example.com, sometimes they pick up the Nameservers inside the firewall and sometimes those outside. If they pick up the ones inside, authentication fails and essentially bricks the device until I can hard reset it.

Is there a way to configure what server responds to a request such as 'ping domain.com'?

I'm guessing that there is but I'm missing what to do. Thanks for any help!

EDIT: Just to clarify, I know it's not best practices but that's out of my control. My goal is to use 'domain.com' as my LDAP server so the device should be directed to one of several AD servers for authentication. I can't enter values separated by commas or the like to allow it to point to multiple servers by itself. So far it sounds like it's not possible to limit but just figured I'd explain further.

Brian Maxwell
  • 1
  • 1
  • 5
    All your name servers should be reachable at all times, otherwise they have no business being listed as NS records in your zone. – gparent Mar 02 '15 at 16:17
  • Yes I understand your point and agree. Unfortunately it's not 'my' network. The customer insisted on the location of the primary domain controllers behind a firewall. I'm just trying to make life easier for my team. Thanks. – Brian Maxwell Mar 03 '15 at 14:47
  • Then you need to ask the system administrator to resolve the situation as you will always face such problems when having NS records for servers that cannot be reached. – gparent Mar 03 '15 at 15:10

1 Answers1

4

You register your domain name with only external, publicly available name-servers. No discussion about it.

There might be a reason1 to have authoritative name-servers in your internal network for the top of your domain (the whole of example.com) but they shouldn't be listed in your public DNS. That breaks stuff, as you've already experienced.

Your internal systems should be using an internal resolver (and not those of your ISP nor public services like 8.8.8.8 and 8.8.4.4). That internal resolver is (pointed at) the authoritative name-server for the internal version of the example.com zone.

The result: internal systems can see the internal IP-addresses, external systems can only see your public IP-addresses.

Footnote 1 No there isn't. It is kludge that will bite you in the ass. You configure a sub-domain for internal use, such as intranet.example.com which can only be found internally and you explicitly configure your internal systems to use internal resources.

Community
  • 1
HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • I am referring to internal resources. No public resources are present. Your footnote does point in the right direction though. Thanks, – Brian Maxwell Mar 03 '15 at 14:46