private network internals

Kevin Darcy kcd at daimlerchrysler.com
Wed Oct 26 20:51:25 UTC 2005 

Bernd Prager wrote:

>I might embarrass myself by asking some trivial questions but I've been
>trying to search online for weeks now
>without finding a decent answer. Here I go:
>
>I'm using Linux Debian/kernel 2.6.8 and bind9 9.3.1 connected via DSL to
>the outside world.
>I have one static IP address and bind is currently used as "cache only"
>my provider's name servers.
>All my internal boxes are running Windows provided with IP address and
>host-name via DHCP 2.0 .
>All internal boxes can properly resolve all external names. Now I have
>one problem and one question:
>
>The problem:
>- My internal computer can't resolve any internal addresses e.g. stored
>in /etc/hosts.
>
DNS and /etc/hosts have nothing to do with each other.

>  Is this how a pure DNS cache is supposed to work? 
>
As soon as you add "private" names and addresses, you're no longer 
running a "pure" DNS cache.

>My question:
>- How do I get DHCP provided host names for my internal computers in
>DNS? I have no authority for my provider DNS
>  (and I don't want my internal boxes to be exposed). This is entirely
>for internal use only.
>
Then set up an internal version of your zone on your nameserver. This 
should be a superset of your external zone, unless you're using NAT 
(which I assume you are since you said you had only 1 external IP 
address, but multiple clients), in which case you might want the same 
name to resolve differently in the internal version of you zone than it 
does in the external version.

>I read about dynamic DDNS and assume that's the way to go.
>
For a small number of entries, I wouldn't bother with that. Just use 
static addressing and you have no DNS/DHCP integration to configure and 
maintain. Beyond a certain number of clients, it's probably worth it to 
set up DHCP and then integrate it with DNS.

>But I don't know how to mix read-only external zones with read-write
>internal zones.
>
The key thing to remember is that you can't "fail over" query resolution 
from one version of a zone to the other. So any name that your internal 
clients needs to resolve, even if it is an "external" name (and that's 
the part that is non-intuitive and confuses people), needs to be present 
in the "internal" version of the zone, even if it resolves differently 
because of NAT.

                                                                         
                                          - Kevin

More information about the bind-users mailing list