please help a DNS novice

Kevin Darcy kcd at daimlerchrysler.com
Wed Dec 6 00:06:39 UTC 2000 

Sivakumar Thiyagarajan wrote:

> Hi gurus,
>
> I am confused about the domain concepts in private isolated networks.heres my setup :
>
> I have two networks -
> NET-A with machines A1, A2, A3 ... and another network
> NET-B with machines B1, B2, B3 ... and a gateway "GATE"
> connecting these two.
>
> I want to run a primary DNS on "GATE" so that NET-B and NET-A can access each other for ftp telnet and all that stuff. Both the networks are isolated i.e. not connected to the internet.
>
> Q1 what should the domain fields be for the named.conf file?
> can it be anything? i.e. can I name the domain as "DOM"
> and declare my "NS" as "GATE.DOM." ?

For an isolated network, you can basically use whatever names you want. But be aware that named *always* wants access to a root zone. If you're completely isolated, therefore, you need to
set up your own root zone. If you intend to *stay* isolated, and don't have very many names, you could in fact put *everything* into that root zone. This has certain benefits, but tends to
get unwieldy when the namespace grows.

> Q2 In future if NET-B gets connected to the internet then
> how will that affect my setup?

Depends on what you mean by "connected to the Internet". If you want your clients to be able to resolve Internet names, then you'd have to abandon your internal root zone and figure out
some way of allowing "GATE" to send queries to the Internet through the firewall -- assuming there *is* a firewall -- or to use some other nameserver as a forwarder to the Internet. Also,
you would want to make sure that whatever domains you use internally don't conflict with real Internet domains, otherwise your internal names might end up "hiding" some Internet ones. Note
that clients behind a proxy-type firewall may not need to be able to resolve Internet names -- they can't connect to those addresses anyway, so why bother? A lot of folks seem to just
*assume* that because they are "connected to the Internet", that they must make Internet names visible to all clients. In many cases that's not necessary, and oftentimes you lose a lot of
manageability/scalability/robustness when moving from an internal-root architecture to one based on forwarding.

> Q3 Can someone please post a rough reverse-map file for NET-A?

$TTL 6h
@      soa gate.internal. dns.gate.internal. ( 1 14400 600 3000000 3600 )
       ns gate.internal.
1      ptr a1.internal.
2      ptr a2.internal.
3      ptr a3.internal.
etc.

(Example values only, of course.)

Note that if you put everything into an internal root zone, you'd only need 1 SOA but you should put some thought into how you want to structure the rest of the zone file. If you think you
may want to split out separate zones in the foreseeable future, you may opt to "cluster" names together under $ORIGIN directives, or possibly even use $INCLUDE files. If you decide against
using $ORIGIN, then I'd recommend that at least you form the habit of dot-terminating all names in the zone file -- even though it's not technically necessary -- in order to form good
habits for the future.

                                                                        - Kevin

More information about the bind-users mailing list