Public / Private zones - assistance please

Kevin Darcy kcd at daimlerchrysler.com
Fri Mar 3 02:38:50 UTC 2000 

Bruce Schuck wrote:

> joseph lang wrote:
>
> > The way I chose to deal with this problem is to run
> > two independent DNS servers. Inside includes all the
> > internal hosts and any external hosts in my domain.
> > The outside DNS only includes internet addressed hosts.
>
> > both DNS servers are configured as primary and know
> > nothing about the other.
> > hosts on the INTERNET use the outside servers
> > hosts on the inside network only use the inside servers.
> > inside DNS servers can query DNS root servers through the
> > firewall. (In your case NAT router).(UDP/TCP port 53 open)
>
> Joe,
>
> Thanks for the quick response, but here's my dilema that I am trying
> to solve.  Having 2 servers, where the outside server knows nothing of
> the internal 10.0.0.0 network doesn't cut the mustard.
>
> I now have an internet email server.  Call it smtp.mydomain.com.  It
> also happens to be the external DNS server.  But I have two machines
> inside the firewall from which users will really get and send their
> email.  Call them mail1.mydomain.com and mail2.mydomain.com.  But for
> arguments sake, they have IP addresses of 10.10.10.10 and 10.10.20.10
> respectively.  Now these are behind the firewall and therefore I don't
> need their names to be advertised to the internet in general, but I
> need for the internet email server to be able to look them up for
> forwarding mail inside my domain.
>
> =snippet of /etc/aliases on smtp.mydomain.com (internet/public)=
> bschuck         bschuck at mail1.mydomain.com
> user2           user2 at mail2.mydomain.com
>
> Since my internal DNS server contains data for the outside hosts, I am
> using fetchmail to bring the email in for users who need it. And I
> relay all outgoing email through the internet email host. But I would
> rather not do it this way, at least I want to not use fetchmail.

Your Internet email server needs to have a "merged" view of both the
Internet and internal DNS. You should configure its resolver to point to
a nameserver with such a "merged" view. This could either be an internal
nameserver which forwards via a firewall for Internet names, or it could
even be a separate "private" instance of named on the mail/DNS server
itself, as we do, using the "listen-on" directive.


- Kevin

More information about the bind-users mailing list