Can I use forwarders with internal root name servers?
Answered Friday, October 12, 2001> I am responsible for the "internal" DNS of a large organization. I'm
> having trouble designing a configuration that will satisfy two requirements:
>
> 1) All e-mail leaving the company must do so through a particular machine
> where it can be scanned for harmful content and logged. To me, this presents a
> strong case for using internal root name servers and wildcard MX records.
Yes, I agree.
> 2) Our users access the Internet through a packet-filtering firewall and must
> be able to resolve names in the Internet namespace. This to me seems to
> rule out using internal roots.
Yes, I agree with that, too.
> I'm certain that others must have similar requirements, but I've not seen a
> good solution. I've had mixed success by configuring our internal name
> servers with their "hints" file pointing to our internal roots and listing the
> firewall machine as a forwarder.
That's not going to work. Whether or not the resolution works will depend
on how quickly the forwarder responds, which isn't predictable.
> If I query for MX records for an external domain, the answer I get depends
> on which machine (the internal root or the forwarder) answers first. If the
> internal root is faster, I get the MX records for our scanning machine and
> that's what I want. If, however, the answer comes back from the forwarder
> first, I'll get MX records for the external domain's *real* mail servers that
> I can't use. Worse yet, these (undesirable) MX records get cached, making
> it less likely that the internal root server will prevail in future contests.
What's really happening is that your name server always queries the
forwarder first, then falls back to iterative name resolution (starting from the
internal roots) if it times out waiting for the forwarder.
> Is there a solution to this dilemma? Thanks for any guidance you can provide!
I'd dump the forwarder and use your mail transport agent's configuration
to shunt all outbound mail through a relay (e.g., using Sendmail's "smart
relay" feature).
cricket