The problem of internal subdomains being able to both resolve addresses
in other sub-domains -and- resolve outside Internet addresses has come
up a few times. As far as I can see, any combination of forwarder/slave
in the Server SubD won't do the trick. No forwarders line in SubD will
cause the subdomain servers to try the Internet root servers first (which,
since they are trapped by the firewall, cause time-outs). Server TopD,
on the other hand, works very well - clients pointing to it can resolve
all addresses for internal sub-domains and Internet addresses.
--------------- Server Fwall
| Authoritative | -------------
| for top-level| --forwarders--> | Resolves |
| local domain | | Internet |
|_______________| | Addresses |
\ Server SubD /
| Authoritative |
| for local |
| Sub-domains |
To summarize from the answers I received:
The internal servers must cache all internal zones.
I have implemented the quick solution offered by
no in the short run
and simply configured my SOCKS rclients to point to the external
name server (server Fwall), and left the internal scheme as it is today
(completely isolated). The unfortunate thing is that, by doing so, I can't
take advantage of the new version of SOCKS which supports versatile
clients (e.g. can use same ftp image for internal and external
connections, instead of separate "rftp" program).
Here are some thoughts for "priming the cache" of the internal servers.
Can anyone think of something less ugly?
(the following assumes that a server will first try information
in its cache before sending queries to another authority):
1) prime the cache of the subdomains by adding NS entries in
their named.ca for all other internal subdomains (then add forwarders
command pointing to external server).
2) make all subdomain servers also secondary servers for the
parent (then add forwarders command pointing to external server).
3) use subdomain servers for administrative purposes only. Make
the parent domain also secondary for all internal subdomains.
Then all clients would resolve only to the parent name servers.