Split internal/external with BIND 4.9.7 for Windows NT?

John Navas jnavas at aimnet.com
Thu Jun 10 01:35:32 UTC 1999 

I have a small LAN configured with private network addresses (192.168.0.0) 
that is connected to the Internet through a NAT+Firewall box (SonicWALL).
I have a hole drilled through the firewall for outside access to a Web 
server running on Windows NT4 SP5; let's say the URL is 
<http://www.mydomain.org/>.

If I put up a simple nameserver on the same Windows NT box with a hole 
drilled for DNS, then external references to that URL can get translated 
into the correct [public IP] address.  However, if I use the same DNS 
server on my internal network, then I won't get the correct internal IP 
address to reference the Windows NT box.

To solve this problem it seems that I either need to (1) run two DNS 
servers with different IP addresses for the same domain, one server bound 
to an IP address accessible only from the outside and one server bound to 
an IP address accessible only from the inside, or (2) use secure_zone "to 
separate internal and external internet address resolution on a firewall 
machine without needing to run a separate named for internal and external 
address resolution." [quote from BOG.WRI]  Are these the options, or are 
there other methods (possibly using the Microsoft DNS server)?  Which is 
the "best" option?  

In case (1), is it possible to run two instances of BIND as Windows NT 
Services with different configurations bound to two different IP addresses 
[multihomed NIC]?  If so, how do I do it?

In case (2), how do I configure secure_zone?  Do I have duplicate zone 
records in one file with different secure_zone records?  And I can see how 
to configure the secure_zone for internal access, but how do I configure it 
for external access (presumably excluding my internal network)?  

Thanks in advance for any clues you may be able to provide.  A sample 
network map follows:

                         Internet
                            | [gateway IP]
                            |
                        WAN | [public IP]
                  +---------+--------+
                  |     SonicWALL    |
                  +---------+--------+
                        LAN | 192.168.168.168
                            |
                  +---------+--------+
                  |        Hub       |
                  +-----+---+---+----+
                        |   |   +----------+
               +--------+   +------------+ |
   192.168.0.1 |             192.168.0.2 | | 192.168.0.3
     +---------+--------+      +---------+--------+
     |       Server     |      |                  |-+
     |  WWW        DNS  |      |       Client1    | |
     +------------------+      +------------------+ |
                                 |       Client2    |
                                 +------------------+


-- 
Best regards,
John  mailto:jnavas at aimnet.com  http://www.aimnet.com/~jnavas/

More information about the bind-users mailing list