Multiple domains on same ip (virtual hosting) - correct way?
Mathias Körber
mathias at koerber.org
Fri Nov 10 15:47:19 UTC 2000
> I am overhauling the dns for a small server which has only 8 IP's.
>=20
> We have our main domain, cyberscreen.com, and then we carry a couple =
of
> dozen other domains that are virtual www hosts on two of those ip's.
>=20
> The virtual hosts are required to have email aliasing facilities, so =
we
> need an MX record for each.
>=20
> Up to now, we have accomplished this by having a separate zonefile and
> reverse file for each virtual host, but we now realise our reverse dns
> is incorrect.
>=20
> Here's what I mean:
>=20
> main zonefiles for cyberscreen.com:
Urgh, horrible formatting. I'll try and reform this a bit
to make it easier to look at (so thebelow is not an exact
quote of what you posted):
>=20
$TTL 86400
> cyberscreen.com. IN SOA ns1.cyberscreen.com. =
webmaster.cyberscreen.com. (
> 2000110601 ; Serial
> 10800 ;Refresh after 3 hours
> 3600 ;Retry after 1 hour
> 604800 ;Expire after 1 week
> 86400 ) ;Minimum TTL 1day
actually, with BIND >=3D 8.2, the last is the negative caching TTL. =
You'll
need a $TTL 86400 on top of the zonefile for the default TTL. (see =
above)
>=20
> ;name servers
>=20
> cyberscreen.com. IN NS ns1.cyberscreen.com.
> cyberscreen.com. IN NS ns2.cyberscreen.com.
>=20
> ;Host addresses
>=20
> localhost.cyberscreen.com. IN A 127.0.0.1
> server.cyberscreen.com. IN A 212.87.82.24
> media.cyberscreen.com. IN A 212.87.82.25
> secure.cyberscreen.com. IN A 212.87.82.26
> mail.cyberscreen.com. IN A 212.87.82.27
> ns1.cyberscreen.com. IN A 212.87.82.28
> ns2.cyberscreen.com. IN A 212.87.82.29
>=20
> ;mail records
>=20
> cyberscreen.com. IN MX 10 mail.cyberscreen.com.
>=20
> ;Aliases
>=20
> www.cyberscreen.com. IN CNAME server.cyberscreen.com.
> ftp.cyberscreen.com. IN CNAME server.cyberscreen.com. =
=20
> pop3.cyberscreen.com. IN CNAME mail.cyberscreen.com.
> =20
>=20
> and for the reverse mappings:
>=20
>=20
$TTL 86400
> 24.82.87.212.in-addr.arpa. IN SOA ns1.cyberscreen.com. =
webmaster.cyberscreen.com. (
> 20000110601 ; Serial
> 10800 ;Refresh after 3 hours
> 3600 ;Retry after 1 hour
> 604800 ;Expire after 1 week
> 86400 ) ;Minimum TTL 1 day
Same comment here about the TTL!
> ;name servers
>=20
> 28.82.87.212.in-addr.arpa. IN NS ns1.cyberscreen.com.
> 29.82.87.212.in-addr.arpa. IN NS ns2.cyberscreen.com.
If your reverse zone is 24.82.87.212.in-addr.arpa, why are the
NS records here for 28 and 29? These should be 24.82.87.212.in-addr.arpa =
too!
>=20
> ;addresses to canonical names
>=20
> 24.82.87.212.in-addr.arpa. IN PTR server.cyberscreen.com.
> 25.82.87.212.in-addr.arpa. IN PTR media.cyberscreen.com.
> 26.82.87.212.in-addr.arpa. IN PTR secure.cyberscreen.com.
> 27.82.87.212.in-addr.arpa. IN PTR mail.cyberscreen.com.
> 28.82.87.212.in-addr.arpa. IN PTR ns1.cyberscreen.com.
> 29.82.87.212.in-addr.arpa. IN PTR ns2.cyberscreen.com.
So far so good !
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>=20
> then for each virtual host we have this:
>=20
$TTL 86400
> abechi.co.uk. IN SOA ns1.cyberscreen.com. webmaster.abechi.co.uk. (
> 2000050401 ; Serial
> 10800 ;Refresh after 3 hours
> 3600 ;Retry after 1 hour
> 604800 ;Expire after 1 week
> 86400 ) ;Minimum TTL 1day
>=20
> ;name servers
>=20
> abechi.co.uk. IN NS ns1.cyberscreen.com.
> abechi.co.uk. IN NS ns2.cyberscreen.com.
>=20
> ;Host addresses
>=20
> ;are these needed if this is only a virtualhost
>=20
> ;mail records
>=20
> abechi.co.uk. IN MX 10 mail.cyberscreen.com.
>=20
If the users also should be able to receive mail as
user @<whatever>.abechi.co.uk
you may need to add another MX record (a wildvcard):
*.abechi.co.uk. IN MX 10 mail.cyberscreen.com.
Make sure you tell your mail server to handle mail for
all possible hosts under abechi.co.uk as if they were for
abechi.co.uk too!
=09
>=20
>=20
> ;Aliases
> ;as this is a virtual host, I assume www.virtualhost to be aliased =
> ;back to the CNAME of the main server
>=20
> www.abechi.co.uk. IN CNAME server.cyberscreen.com. =20
>=20
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D
>=20
> Then this reverse mapping for each vhost:
You don't need these. You are duplicating your reverse zone
(do you have multiple zone statements in your named.conf for these?)
>=20
>=20
> 24.82.87.212.in-addr.arpa. IN SOA ns1.cyberscreen.com. =
webmaster.abechi.co.uk. (
> 2000050401 ; Serial
> 10800 ;Refresh after 3 hours
> 3600 ;Retry after 1 hour
> 604800 ;Expire after 1 week
> 86400 ) ;Minimum TTL 1day
>=20
> ;name servers
>=20
> 28.82.87.212.in-addr.arpa. IN NS ns1.cyberscreen.com.
> 29.82.87.212.in-addr.arpa. IN NS ns2.cyberscreen.com.
>=20
> ;addresses to canonical names
> ;one PTR record made only as this is a virtualhost.
>=20
> 24.82.87.212.in-addr.arpa. IN PTR server.cyberscreen.com.
This whole reverse zone is not needed. You already have one.
Reverse zones are per IP address block, not per domain that uses
them!
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
>=20
> Then in named.conf we have this:
>=20
> //zone entries for my FQDN
>=20
> zone "cyberscreen.com" {
> type master;
> file "cyberscreen.hosts";
> };
>=20
> zone "24.82.87.212.in-addr.arpa"{
> type master;
> file "cyberscreen.reverse";
> };
>=20
> zone "." {
> type hint;
> file "named.ca";
> };
>=20
> zone "0.0.127.in-addr.arpa" {
> type master;
> file "local.reverse";
> };
>=20
> //zone entries for virtual hosts referenced in Apache config.
>=20
> zone "abechi.co.uk" {
> type master;
> file "abechi.hosts";
> };
>=20
> zone "24.82.87.212.in-addr.arpa"{
^missing space!
> type master;
> file "abechi.reverse";
> };
You should get 'cannot redefine zone' (or something to that effect)
for this. Remove this zone entry, you already have the one above!
> Now, this set-up has actually worked for the last year, but I am aware
> that the reverse dns is incorrect (or worse)
>=20
> As we have got 24.82.87.212.in-addr.arpa. in each reverse file, which =
of
> course is a host and not a zone, the other ip's in cyberscreen.reverse
> are rejected as out of zone, and then the subsequent reverse files =
which
> also start with 24.82.87.212.in-addr.arpa. are rejected because we are
> getting "cannot redefine zone" errors.
Exactly. You don't need to set up a reverse for each forward zone, as =
they all use
the same IP address block!
>=20
> In practice, all the forward lookups have been working, all the =
websites
> have been accessible and indeed all the aliased email has been getting
> delivered (phew!)
>=20
> however, I believe that the latest version of sendmail automatically
> tries a reverse lookup on the sender of each message, and we have
> started to find that web forms (sent from our cyberscreen.com server)
> are being rejected by remote mailers running new sendmail because they
> can't do the reverse lookup properly (we think).
There should not be a problem there, because your DNS looks on on this:
A connection comes from 212.87.82.27 (mail)
The remote sendmail look up the reverse in your reverse zone, and it
returns mail.cyberscreen.com.
It then looks up mail.cyberscreen.com and finds 212.87.82.27, which =
matches.
As such the sender mail server is sufficiently verified and the remote
mailer should accept it.
Newer sendmails complain if
- The name found on the reverse lookup does not resolve again to the
IP address the connection comes from.
- The sender's domain does not have an MX record for return mail.
This *might* be your problem id your users get email sent to them at
eg www.abechi.co.uk or any other subdomain of that domain. See the =
wildcard
MX suggested above.
>=20
> So I guess, in a nutshell, the questions are:
>=20
> what is the correct notation for the reverse zone - it can't be
> 82.87.212.in-addr.arpa. because we only have 8 ip's on that network.
> Should it be 24-31.82.87.212.in-addr.arpa.?
The naming really depends on your parent (ISP)'s scheme. RFC2317 =
suggests
3 naming schemes, of which the one you seem to be using =
(24.82.87.212.in-addr.arpa)
is the oldest and most widely used. While the RFC was still a draft, =
other schemes
were suggested and a different scheme (I think the one you mention, =
24-31.82...)
is recommended more, but it realy depends on what the parent zone admin
decides to use.
>=20
> and:
>=20
> Do we really need separate zonefiles for each of the virtual hosts?
You need separate zonefiles for each of the virtual domains (forward).
You don't need to redefine the reverse domain over and over again
(in fact BIND ignores these as you found out).
>=20
> Any help or referral to a pre-existing faq greatly appreciated.
HTH
mathias
More information about the bind-users
mailing list