Public DNS with NAT IP
Barry Margolin
barmar at alum.mit.edu
Sat Nov 18 09:29:27 UTC 2006
In article <ejkucn$1ia9$1 at sf1.isc.org>,
"guy cipher" <guy.cipher at gmail.com> wrote:
> Hi Barry,
> Thanks you very much indeed. You are absolutely right, What I notice the
> reverse zone name is reflecting to public IP in the current configuration "
> named.conf" which is
>
> zone "198.16.1.in-addr.arpa" in {
> type master;
> file "named.hosts.rev";
That zone name should have been 1.16.198.in-addr.arpa.
>
> What I understood from your e-mail that I should have created the reverse
> zone like below:
>
> zone "172.31.32.in-addr.arpa" in {
> type master;
> file "named.hosts2.rev";
That should be 32.31.172.in-addr.arpa.
>
> Should I delete the "named.hosts.rev? and please tell me again the What will
> be "A" record for DNS server zones files. Would it be public IP or private
> IP?
You need *both* reverse zones -- one for inside clients, the other for
outside clients. Unless your firewall performs DNS fixups to translate
private IPs to their corresponding public IPs -- in that case you just
need the private IPs.
>
> indigo IN A 203.81.204.10
> 10 IN PTR indigo.xyz.net.
>
> or
>
> indigo IN A 172.31.32.5
> 10 IN PTR indigo.xyz.net
>
> Please advise for the correct entries in the configuration file.
You need both. The best way to do this is with views -- inside clients
get the private A record, outside clients get the public A record.
>
> Best Regards
>
> Cipher
>
> PS I haven't tried it yet, but I will do it soon.
>
>
> On 11/17/06, Barry Margolin <barmar at alum.mit.edu> wrote:
> >
> > In article <ejhl5j$192r$1 at sf1.isc.org>,
> > "guy cipher" <guy.cipher at gmail.com> wrote:
> >
> > > Hi,
> > > I'm setuping the BIND 9.3 on Solaris 9 server having private IP address.
> > The
> > > Firewall is doing mapping (NATing) the public IP to the private IP
> > address.
> > > Let's say 198.16.1.4 -> 172.31.31.99.
> > >
> > > The current DNS server is working fine having public IP is working fine.
> > > When I copied all the configuration from current DNS server to another
> > > server having private IP (172.31.31.99). The configuration is same only
> > the
> > > server IP is private. The DNS server is not resolving properly the
> > queries
> > > for non-authrorartive server, but it does resolves the all A records
> > defined
> > > in the DNS configuration.
> > >
> > > When I run 'nslookup' it generates meesage "can't find server name for
> > > address 172.31.32.5". It resolves the queries from "127.0.0.1" loopback
> >
> > You should create a reverse DNS zone for your address range to fix that
> > error. This is a quirk of nslookup -- it requires that the server be
> > able to do a reverse lookup of its own address.
> >
> > > address. Sometimes it generates "No address (A) records available.
> > >
> > > My questions are below:
> > >
> > > Is there any specific configuraton for bind when configure public DNS
> > having
> > > private IP and NAT on firewall.
> > > Should the A record of the DNS server will reflect the "private IP" or
> > > oublic IP.
> >
> > The problem isn't the A record, it's the PTR record. If you tell
> > nslookup to query 172.31.32.5, it tries to look up this PTR record.
> >
> > Another way to solve this problem is to NOT USE NSLOOKUP. It's a lousy
> > debugging tool. Use "dig" for debugging, and "host" for quick-and-dirty
> > lookups.
> >
> > --
> > Barry Margolin, barmar at alum.mit.edu
> > Arlington, MA
> > *** PLEASE post questions in newsgroups, not directly to me ***
> > *** PLEASE don't copy me on replies, I'll read them in the group ***
> >
> >
> >
--
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
More information about the bind-users
mailing list