> Splitting DNS is mostly done for "information hiding"
> reasons rather than for traffic control. I'll save the list my
> usual "3 reasons why DNS hiding is useless in spite of what ches sez"
> rant. [Last time, someone actually *DID* come up with a good reason: if
> you're using non-issued addresses and want to hide them]
I can think of another reason. As usual, politics is involved :-(
But we have users that send mail out with return addresses that are of
the form user @
host .
subdomain .
ucar .
edu .
I want people on the net to be
able to reply to those messages, but I don't want to leave our internal
hosts' SMTP ports open to connections initiated from the outside. So, I
want to send out a wildcard MX record for *.ucar.edu which would direct
all inbound mail to our relay host (which would run "smap", be secured
in a manner as close as possible to a "bastion host", etc.). This host
then needs to be able to resolve the *real* MX/A information in order
to deliver the mail. This is another reason for going to a "split DNS"
configuration.
I know that someone will probably suggest rewriting the addresses on
the way out so that they are just "user @
ucar .
edu". We actually even
have a central aliases database that might make this possible.
Unfortunately, we cannot control what logins are assigned to the users
on the divisional systems (which is where the politics comes in), and
there are a number of conflicts where different users in different
divisions have the same login name. Thus, we can't guarantee that the
"user" part in "user @
host .
subdomain .
ucar .
edu" is the same as it is in
"user @
ucar .
edu", so rewriting the addresses this way would be a non-trivial
undertaking to say the least. Using a split DNS is easier.
--Greg
Follow-Ups:
References:
|
|
