Split-brain DNS is not always a bad idea, ( what is internal should be internal and what is DMZ/External should be external) You probably can do one of two things for this. I am assuming that you don't own the DNS Server that is authoriative for the zone ( thisclient.com). I agree you could set up a thisclient.com dns zone on a dns server you own within your site ( as long as the client is using that dns server for resolving) if not then you are going to have to access the DNS server that is authoritative for the zone, and make the A records there. I doubt you will have luck allowing a zone transfer from the master across the VPN pipe if the primary DNS server is on the other side of the VPN tunnel ( especially if you have the tunnel locked down, which you should) Z
Edward E. Ziots Security Engineer CISSP,Security +,Network+ > From: [email protected] > Date: Wed, 22 Feb 2012 12:18:05 -0500 > Subject: Re: DNS-y > To: [email protected] > > On Wed, Feb 22, 2012 at 10:43 AM, David Lum <[email protected]> wrote: > > We have a VPN tunnel to a client, and we’ve been asked to make some DNS > > entries for Thisclient.com addresses and frankly, I don’t know how to do it > > or even how to Google for it. They gave us a list of IP’s that need to have > > entries. > > You can tell your DNS server to claim authority for whatever you > want, and as long as your DNS clients are using that DNS server for > all lookups, you'll get what you told it to say. So claim authority > for new zones, named <host1.thisclient.com>, <host2.thisclient.com>, > etc., and put in the A records at the origin level. Any time their IP > addresses change, they'll have to tell you. > > > I could do DNS forwarding but that would disable us being able to get to > > thisclient.com’s external websites, wouldn’t it? > > Yup. > > (Aside: This is yet another example of why split DNS is a bad idea. > Too bad for you, your client doesn't know that.) > > -- Ben > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
