Caching-only nameserver for internal network

Michiel Kreutzer mkreutzer at my-deja.com
Thu Aug 19 22:08:57 UTC 1999 

In article <4.2.0.58.19990819124440.00b487b0 at tornado.acmebw.com>,
  Matt Larson <matt at acmebw.com> wrote:
> The name server on the firewall doesn't need to forward to your ISP's
name
> server.  If it's got a root hint zone configured with the current list
of
> root name servers (ftp://ftp.rs.internic.net/domain/named.cache), your
> firewall name server can resolve anything.
>
I know that, but that's not what I want. For security, the firewall
denies all traffic on port 53 except to and from the ISP nameserver. Can
I remove the root hint zone from /etc/named.conf now?

> >I have not set up a
> >domainname for my intranet, and I wonder if I need to.
>
> Even if you don't need one now, you'll probably need one later.
Better to
> get and use a legitimately registered domain name than a made-up one.
I don't understand. Why would I want to register a domain for
192.168.*.* ip's that are not visible to the outside world. What's the
use of having a domain name nobody will ever see or connect to? Maybe I
should refrase the question: Like there are free ip-numbers for private
networks, what rules do private domainnames have to satify for private
networks? And How do I made sure that this domain never gets to the
outside world?

> The name server on the firewall is not using /etc/hosts on the
> firewall.  You can use a tool like h2n to convert /etc/hosts to files
> readable by the name server.
OK. I'll consider that, but maybe it is not necassay to use dns for a
small network at home. I thought that would be too much trouble. From
other inputs I have recieved, I have modified the /etc/named.conf in the
following way:

added to options:
        // we only serve ourself and the local 168.192.1 network
        // outside world should not query us.
         listen-on {
                127/8; 192.168.1.0/24;
         };
added a reverse DNS zone:
zone "1.168.192.in-addr.arpa" {
        type master;
        file "named.local";
};

I didn't change named.local. Everything is working now, but there is
quite some communication  going on between my firewall and my ISP
nameserver, even if I am not doing anything requiring lookups.

Am I doing something foolish or insecure, or am I getting the reverse of
what I set out to do, i.e. reduce DNS traffic? I don't understand.

> I'd recommend O'Reilly's "DND and BIND" book, which specifically
covers
> migrating from a hosts file using h2n.
>
> Matt
I tried to buy it today, but I work in a small university town (Delft,
the Netherlands) where for some reason I can find a bookshop that has
it. Maybe in the weekend. I am very happy there is usenet in such
moments, and that there are people who help out. Thanks for your input!

Michiel

--
M.T. Kreutzer


Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.

More information about the bind-users mailing list