How not to do DNS for internal domains
Here's a brief recipe for how not to do DNS for your internal domains, as illustrated by eBay:
- Allow your internal subdomains leak into your externally visible nameservers, so that when outside people query for 'sjc.ebay.com' they get back NS records instead of 'no such domain'.
- Use RFC 1918 private IP addresses in 10.*.*.* for your internal network, including the DNS servers for your internal subdomains. Such as sjc.ebay.com.
- Every so often, send out email with the envelope origin address of 'email@example.com'.
- Watch the comedy that ensues as people's mailers try to verify the
MAIL FROMby querying the nameservers for sjc.ebay.com to see if hojo.sjc.ebay.com has an MX or an A record. You know, the internal nameservers with unreachable private 10.*.*.* IP addresses.
For extra comedy, consider what happens if eBay is trying to send email to an organization that is also using 10.*.*.* IP address space internally.
Since failure to reach nameservers usually causes a temporary failure during SMTP instead of a hard failure, this is really the gift that keeps on giving. (Which means that eBay pays a price for this too, since they get to sit on all of the stalled mail until it times out in four days or so.)
(This happened some time ago, so I don't know if eBay is still sending out email with those internal addresses. The domains are certainly still leaking out, nameservers in 10.*.*.* and all.)