I have been watching the split DNS discussions and learned a lot of
the issues, good and bad, for implementing such. As I am beginnging to
resolve our own companies issues, I thought of another deviation of
the split DNS issue without any of the drawbacks normally associated
What if a company let the ISP be the primary DNS for the public network,
say mydom.com. Their internal DNS remained the primary for their internal
domain, again mydom.com. The trick would be to configure the firewall as
a DNS client of both DNS servers (ISP and internal). With the use of
proxies and filtering on the FW, no DNS leakage should happen. The proxies
should be able to resolve doman names as needed.
This also has the advantage of removing the DNS load off of the firewall
and letting my ISP or existing internal server handle that traffic.
Now does anybody see any holes in this? Is the concept sound, but
implementation flawed? Any discussion/comments would be appreciated.
Kurt Kessel EMail: kkessel @
Systems Consultant/Webmaster WWW: http://www.hteinc.com
HTE, Inc. Voice: 407-841-3235
Solutions for Government & Utilities Fax: 407-246-8835