Namespace Planning Example
The following sections explain some of the issues you must consider when planning your namespace by describing the configuration of two fictitious organizations. The first organization, which has reserved the DNS domain names reskit.com and reskit01-ext.com, has only proxy clients that support either exclusion lists or PACs. In contrast, the second organization, which has reserved the DNS domain names acquired01 - int.com and acquired01-ext.com, has no such proxy clients. Both organizations use a different domain name for their internal and external namespaces.
Reskit.com and acquired01 - int.com both need a configuration that does the following:
Exposes only the public part of the organization's namespace to the Internet.
Enables any computer within the organization to resolve any internal or external name.
Enables any computer within the organization to resolve any name from the Internet.
Moreover, both organizations have merged, and every computer from within each private namespaces must be able to resolve any name from the other namespace.
The following sections describe how both organizations have configured their external and internal namespaces to satisfy these requirements. Figure 6.27 shows this configuration.
Figure 6.27 Example Configuration of the DNS Domains Reskit.com and Acquired01-int.com
Configuring the External Namespace
In the external namespace, two zones exist: reskit01-ext.com and acquired01-ext.com. The zones contain only the records (the names and delegations) that the companies want to expose to the outside world. The server server.reskit01-ext.com. hosts the zone reskit01-ext.com, and the server server.acquired01-ext.com hosts the zone acquired01-ext.com. The names reskit01-ext.com and acquired01-ext.com must be registered with an Internet name authority.
Configuring the Internal Namespace
The internal namespace for the organization that hosts reskit01-ext.com externally is reskit.com. Similarly, the internal namespace for the organization that hosts acquired01-ext.com externally is acquired01-int.com. The server server.reskit.com hosts the zone reskit.com, and the server server.acquired01-int.com hosts the zone acquired01-int.com. The names reskit.com and acquired01-int.com must be registered with an Internet name authority.
All the computers in reskit.com support either exclusion lists or PACs, and none of the computers in acquired01-int.com support either exclusion lists or PACs.
Namespace Without Proxy Clients That Support Exclusion Lists or PACs
For a namespace in which none of the computers are proxy clients that support either exclusion lists or PACs (in this example, the namespace of acquired01-int.com), an organization must devote one or more DNS servers to maintain zones that contain all names from the internal namespace. Every DNS client must send DNS queries to one or more of these DNS servers. If a DNS server contains the zone for the top level of the organization's namespace (for example, acquired01-int.com), then it must forward those queries through a firewall to one or more DNS servers in the Internet namespace. All other DNS servers must forward queries to one or more DNS servers that contain the zone for the top level of the organization's namespace.
To make sure that any client within the organization can resolve any name from the merged organization, every DNS server containing the zone for the top level of the organization's namespace must also contain the zones that include all the internal and external names of the merged organization.
This solution places a significant load on the internal DNS servers that contain the organization's internal top-level zones. Most of the queries generated within the organization are forwarded to these servers, including queries for computers in the external namespace and in the merged organization's private namespace. Also, the servers must contain secondary copies of the merged organization's zones.
Namespace with Proxy Clients That Support Exclusion Lists or PACs
For a namespace in which all of the computers are proxy clients that support either exclusion lists or PACs (for example, the namespace of reskit.com), the private namespace can include a private root. In the internal namespace, there can be one or more root servers, and all other DNS servers must include the name and IP address of a root server in their root hints files.
To resolve internal and external names, every DNS client must submit all queries to either the internal DNS servers or to a proxy server, based on an exclusion list or PAC file.
To make sure that every client within the organization can resolve every name from the merged organization, the private root zone must contain a delegation to the zone for the top level of the merged organization.
Using proxy clients and a private root simplifies DNS configuration because none of the DNS servers need to include a secondary copy of the zone. However, this configuration requires you to create and manage exclusion lists or PAC files, which must be added to every proxy client in the network.