0

We have a set of internal services used by our business applications.

Some of them are defined by IP. We are thinking about replacing them all with service subdomains instead pointing to the private IP.

Example:

  • data.corp.com
  • reporting.corp.com

We could add this to our router and simply have them private but due to VPN and world wide offices that would not be enough.

So we are thinking about creating subdomains to an actual domain and binding them to local IPs.

Is that against recommendations? That would of sort reveal our inner structure and private IPs to our services to everyone, and should someone get access to the network they know where to look.

Other than that I see no dangers.

Scott - Слава Україні
  • 21,399
  • 46
  • 64
  • 121
NeutronCode
  • 101
  • 2
  • By "local IP" do you mean an internal IP such as 192.168.x.x? You wouldn't be able to resolve a "local IP" if the subdomain were registered with your public DNS records... you need to map the public subdomain DNS to a publicly accessible IP for the server. I.e. you'll need to set up port forwarding or have the server/firewall in the DMZ. – Kinnectus Mar 10 '15 at 10:14
  • The domain should only be used by people have access to the IP, those that are on the same private network. So couldn't, shouldn't or an acceptable solution? – NeutronCode Mar 10 '15 at 10:21
  • Set up a private DNS server that is accessible by any given portion of your network. Ensure that your DHCP server hands out that server's IP as the DNS server for all your clients to use. Add A records for your private IPs on that server. – MaQleod Mar 10 '15 at 21:59

1 Answers1

0

What you really need to do is setup separate DNS zones for internal and external consumption where the external view is a subset of the internal view and only contains names that refer to A records in public IP address space that is reachable from the public Internet (a firewall is assumed), and the internal view has everything and is reachable by all business users that are on the internal network, including those using VPN to "get inside". This is very common and can be done with "views" on a single DNS server, or you can have two different sets of DNS servers, all depends on what you're using for DNS service.

Google is your friend, search for "split DNS and BIND". Lots of examples / how-to's out there.

milli
  • 1,920
  • 12
  • 8