== How not to do DNS for internal domains

Here's a brief recipe for how not to do DNS for your internal domains,
as illustrated by eBay:

# Allow your internal subdomains leak into your externally visible
  nameservers, so that when outside people query for 'sjc.ebay.com'
  they get back NS records instead of 'no such domain'.
# Use [[RFC 1918|http://rfc.net/rfc1918.html]] private IP addresses
  in [[10.*.*.*|]] for your internal network, including the DNS servers
  for your internal subdomains.  Such as sjc.ebay.com.
# Every so often, send out email with the envelope origin address of
  'cmuser@hoho.sjc.ebay.com'.
# Watch the comedy that ensues as people's mailers try to verify the
  _MAIL FROM_ by querying the nameservers for sjc.ebay.com to see if
  hojo.sjc.ebay.com has an MX or an A record. You know, the internal
  nameservers with unreachable private [[10.*.*.*|]] IP addresses.

For extra comedy, consider what happens if eBay is trying to send
email to an organization that is also using [[10.*.*.*|]] IP address
space internally.

Since failure to reach nameservers usually causes a temporary failure
during SMTP instead of a hard failure, this is really the gift that
keeps on giving. (Which means that eBay pays a price for this too,
since they get to sit on all of the stalled mail until it times out in
four days or so.)

(This happened some time ago, so I don't know if eBay is still sending
out email with those internal addresses. The domains are certainly
still leaking out, nameservers in [[10.*.*.*|]] and all.)