> Not knowing what split-dns was, I googled it. If I understand it
> correctly it seems that this is only needed when you use a single,
> common domain for both internal and external systems. All our external
> systems (both between the firewall and the router, and in the DMZ) are
> in "domain.com" and all our internal systems are in "sub.domain.com",
> so
> we don't need split-dns, right?
Split DNS is good in that it allows:
Internet -> (1.1.1.1)Firewall(10.0.0.1) -> DMZ (10.0.0.0/24)
(10.0.1.1)
|
Internal_Net (10.0.1.0/24)
Internet (Customers / etc..)
dig www.abc.com > 1.1.1.1
Internally (From your management network)
dig www.abc.com > 10.0.0.111
You have two zones of resolution. One for people inside the NAT, and one
for those outside the NAT. Anyone inside the NAT network will pick up
the real internal address name of the servers. People in the outside
world will see the fake routable DNAT IP address of the servers. Nobody
outside should be able to tell the difference (at least with http) that
the internal server doesn't really have an internet routable IP.
