A Split Namespace
Many organizations would like to advertise different zone data to the Internet than they do internally. In most cases, much of the internal zone data is irrelevant to the Internet because of the organization’s Internet firewall. The firewall may not allow direct access to most internal hosts and may also translate internal, unregistered IP addresses into a range of IP addresses registered to the organization. Therefore, the organization may need to trim out irrelevant information from the external view of the zone or change internal addresses to their external equivalents.
Unfortunately, the Microsoft DNS Server doesn’t support automatic filtering and translation of zone data. Consequently, many organizations manually create what have become known as “split namespaces.” In a split namespace, the real namespace is available only internally, while a pared-down, translated version of it, called the shadow namespace, is visible to the Internet.
The shadow namespace contains the name-to-address and address-to-name mappings of only those hosts that are accessible from the Internet through the firewall. The addresses advertised may be the translated equivalents of internal addresses. The shadow namespace may also contain one or more MX records to direct mail from the Internet through the firewall to a mail server.
Since Movie U. has an Internet firewall that greatly limits access from the Internet to the internal network, we elected to create a shadow namespace. ...
Get DNS on Windows Server 2003, 3rd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
