Private DNS zone that resolves private subdomains, and forwards to public nameserver for existing public subdomains

Solution 1:

The typical ways to achieve this are:

  • split DNS - having different DNS records on an internal DNS server...but the internal DNS server has to have all the records, and requires syncing between the internal and external servers
  • delegation - which is creating the svn.example.com zone, and having your example.com DNS servers look to svn.example.com for anything relating to *.svn.example.com (including svn.example.com itself)

One way is to delegate a subdomain like "internal.example.com" to your LAN's DNS servers. On these DNS servers you can configure a zone for internal.example.com (or i.example.com if you want it shorter), and add any records you want.

You may be able to automate the syncing of your internal and public DNS servers to use split DNS, depending on what software you are using on each of them.

A third option would be to just put the internal IP addresses in your public DNS. This may have security implications (someone could use it to trick you to connect to their server if you aren't on your LAN), but should work and is dead simple to setup.

Solution 2:

Ultimately I ended up going with the solution described here: http://www.zytrax.com/books/dns/ch6/#stealth. That is:

  • Set up a Stealth DNS server which contains records for both public and private hosts

The main reason for this is that for my organisation's needs, duplicating a small number of public DNS records provides the following benefits:

  • Easy to understand
  • Quick initial setup

The main disadvantages are redundancy and the need to manually synchronise the stealth server with our public DNS.