DNS behind a firewall with multiple domains?

[Joseph S D Yao <jsdy () cospo osis gov>]

Here's a bread-and-butter question, with a twist.  I'm surprised if our
configuration is really unique; so I'm wondering if what I'm about to
try has been done before.

Behind our firewall(s), we have multiple domains with no common root
(e.g., some are *.gov, some are *.mil).  Each domain has its own name
server, but there can be no single authoritative name server.

We had been running a DNS server on a bastion host.  Each domain's name
server was forward-only to that server.  That server allowed glue
records, and had pointers back to the local name servers.  So, it could
resolve everything both inside the firewall and outside.

We are now going over to a vendor-managed firewall service.  Don't read
me the reasons against this: it's worse than you think.  If we have a
need that they don't have a script for, we have to figure out how to do
it, and then get charged for them doing it.  But this was Mandated From
On High.  Other than that, in all fairness, the normal service is good.
The loss of control over data security was accepted as a reasonable
business risk.

DNS is such a need.  This particular brand of firewall runs a DNS
proxy, 'dnsd', that maintains no DNS records itself - it just passes on
queries and caches the answers.  We haven't moved our DNS over to it,
but it's part of the mandate to do so.  So I have to figure out how.

The problem: we need a name server that will accept queries, recurse on
those for which it has LOCAL records for name servers, and forward the
rest to the firewall.  This doesn't seem to be a normal configuration
for either BIND 4 or BIND 8 [with which I don't have a lot of experience
yet].  We don't want the - necessarily internal - DNS server going off
and recursing to a name server outside the firewall: it won't get there.
We don't want it forwarding all of its queries to the firewall: they
would then get sent outside, where they would never get resolved.  (The
firewall's limit on number of name servers it can remember is far less
than the number of internal domains.)

We have been running BIND 4.9.7.  We are running it because we have a
way to use the glue records with it on the old firewalls, and the
people working on that hadn't figured out how to use BIND 8 to get the
same effect.  For my part, I can't see how to use either BIND 4 or BIND
8 to get the new effect, so I am set to modify BIND 4 [which I've
modified before] to allow a command to forward only if a query is not
local, and to recurse on "local" queries.

Has anyone had a configuration like this before?  Does anyone know of a
way to subvert, excuse me, use BIND to do what we need to do?

Thanks.

--
Joe Yao                         jsdy () cospo osis gov - Joseph S. D. Yao
COSPO/OSIS Computer Support                                     EMT-A/B
-----------------------------------------------------------------------
        PLEASE ... send or Cc: all "COSPO/OSIS Computer Support"
                     mail to sys-adm () cospo osis gov
-----------------------------------------------------------------------
      This message is not an official statement of COSPO policies.