Split internal/external with BIND 4.9.7 for Windows NT?
John Navas
jnavas at aimnet.com
Wed Jun 16 16:55:30 UTC 1999
I have a small LAN configured with private network addresses (192.168.0.0)
that is connected to the Internet through a NAT+Firewall box (SonicWALL).
I have a hole drilled through the firewall for outside access to a Web
server running on Windows NT4 SP5; let's say the URL is
<http://www.mydomain.org/>.
If I put up a simple nameserver on the same Windows NT box with a hole
drilled for DNS, then external references to that URL can get translated
into the correct [public IP] address. However, if I use the same DNS
server on my internal network, then I won't get the correct internal IP
address to reference the Windows NT box.
To solve this problem it seems that I either need to (1) run two DNS
servers with different IP addresses for the same domain, one server bound
to an IP address accessible only from the outside and one server bound to
an IP address accessible only from the inside, or (2) use secure_zone "to
separate internal and external internet address resolution on a firewall
machine without needing to run a separate named for internal and external
address resolution." [quote from BOG.WRI] Are these the options, or are
there other methods (possibly using the Microsoft DNS server)? Which is
the "best" option?
In case (1), is it possible to run two instances of BIND as Windows NT
Services with different configurations bound to two different IP addresses
[multihomed NIC]? If so, how do I do it?
In case (2), how do I configure secure_zone? Do I have duplicate zone
records in one file with different secure_zone records? And I can see how
to configure the secure_zone for internal access, but how do I configure it
for external access (presumably excluding my internal network)?
Thanks in advance for any clues you may be able to provide. A sample
network map follows:
Internet
| [gateway IP]
|
WAN | [public IP]
+---------+--------+
| SonicWALL |
+---------+--------+
LAN | 192.168.168.168
|
+---------+--------+
| Hub |
+-----+---+---+----+
| | +----------+
+--------+ +------------+ |
192.168.0.1 | 192.168.0.2 | | 192.168.0.3
+---------+--------+ +---------+--------+
| Server | | |-+
| WWW DNS | | Client1 | |
+------------------+ +------------------+ |
| Client2 |
+------------------+
--
Best regards,
John mailto:jnavas at aimnet.com http://www.aimnet.com/~jnavas/
More information about the bind-users
mailing list