| From: John Sellens via talk <talk@gtalug.org> | You want a server name (FQDN) that works internally, but not externally. | Just stick it in DNS. Right. Here's a way you could do it. Certainly not the only way. I run BIND on a public IP address. But it is also on my LAN. For the public, it could be considered authoritative for my domain and is non-recursive (will only answer queries about my domain). (For accuracy I have to state but you should ignore: it is actually a "hidden master" (for performance reasons).) For the LAN, it is recursive and answers all DNS queries. That means it will ask other DNS servers about other domains. (It also caches answers to reduce queries to other servers.) All hosts within my LAN use it as their DNS server. name.conf contains: <<<<<<<<<<<<<<<< // see http://www.enterprisenetworkingplanet.com/netsecur/article.php/10952_3496441... // prevent cache-poisoning by outsiders using recursive queries acl "inside" { 127.0.0.0/8; ::1; <MY-LAN-CIDR>; }; view "inside" { match-clients { "inside"; }; recursion yes; allow-query { inside; } ; .... }; view "outside" { match-clients { any; }; recursion no; ... };
>>>>>>>>>>
If you want to have some names in your domain public, and some private to your LAN, I think that you need two different zone files for that domain. One for your LAN and one for your domain host (i.e. where queries about your domain go). One could put a whole zone inside the "inside" view and it would only be resolved for queries from your LAN. The limited zone file would be on you domain host. I don't know whether you could split a zone between views. But if your LAN DNS server is not answering queries from outside your LAN that isn't an issue.