A recent story talked about split DNS -- how can this be done? For example, our internal DNS Start of Authority has a suffix domain of mro.com, so how can a forwarder resolve against another site with the already registered name (of mro.com)?
If you break the rules, you can do all kinds of things with DNS service configuration. You can list forwarders by IP and leave their names out. You can list the internal server at the root server level in the eyes of the internal clients and secondary servers and still go get the records for your public (invisible to the internal world) services servers from an external DNS server by forwarding. You can really have fun with the name space if you configure the DNS server to use a host file instead of DNS. Forwarding is just one way to get answers you don't locally have on hand. If your internal DNS server thinks it's the ultimate authority for the entire domain and won't forward requests for names in the domain it doesn't have, then you can make it secondary for the master domain and primary for the internal subdomain(s) so it will look elsewhere for names in the master domain it doesn't know. The O'Reilly BIND book, the BIND manual at www.isc.org, and the book Firewalls and Internet Security by Bill Cheswick and Steve Bellovin, are excellent resources for more information on managing DNS across network boundaries.
This story, "Dr. Internet" was originally published by Network World.