I always recommend using a split DNS when you’re hosting your own Web and Mail Services. The split DNS is the only way to go when you’re hosting your own services, because it provides transparent access for your users who move between the internal and external networks. Your users never need to remember to use different names to connect to resources, and they never need to reconfigure their client applications to support their current location.
However, the split DNS is not so much an elegant solution when you’re not hosting your own services. For example, suppose your internal domain name is msfirewall.org, and you’ve created a split DNS so that you have internal and external zone files and servers for msfirewall.org. That works great when you host your own Internet access resources, but if your externally accessible resources are contained on external servers, then things can get problematic.
I usually recommend that you create a static entry for the external server in your internal zone file to support the internal users’ access to the external servers. This works great when your external addresses don’t change, which is the case most of the time. But if you have a hosting service with an unstable addressing scheme, or is just customer unfriendly and changes your external server addresses without telling you, things can get complicated fast.
What’s the best way to deal with this? Check out this nice tip from Money Penney over at the ISAServer.org Web boards:
“Using Stub records for external web servers.
To make managing external resources that need to be accessed in the same namespace, such as externally hosted web servers, easier I have used Stub zones with success. Often web hosting companies make changes to their servers and address space, making it painful to manually update your A record to point to the correct external IP address. Stub records can help get around this.
For example lets say your domain is xyz.com and you have a website at www.xyz.com that is hosted externally by a web hosting provider; I would create a stub zone called www under the xyz.com forward lookup zone in DNS that has the external DNS servers that are responsible for your xyz.com domain name resolution externally (often the web host, your ISP, or a DNS hosting provider). Then whenever an internal client looks up www.xyz.com the DNS server refers the request to the external DNS servers and returns the correct external IP address.
So far this has worked well for me and has required zero maintenance, but perhaps people can see a problem with this or know of a better way?”
My answer to him is that I don’t see any problems at all, and that it’s a clever solution to a rare problem!
Link to the discussion thread: http://forums.isaserver.org/m_260035900/mpage_3/ke…
Thanks!
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: [email protected]
MVP — ISA Firewalls