New DNS setup

Kevin Darcy kcd at daimlerchrysler.com
Wed Apr 4 00:39:39 UTC 2001 

Matthew P. Marino wrote:

> I've done this. I run BIND9 as a master for the zone. I use my ISP's name erver
> as a "forwarder". I **DON'T** have the name servers registered with my ISP. That
> makes them authoratative for my zone as far as the internet is concerned so no
> queries from the internet get passed on. I also have a firewall that doesn't
> allow port 53 to flow past it from wan to lan.

(You could set an allow-query in the nameserver instead of, or in addition to, your
firewall rule).

> On the LAN my server thinks it's
> authoratative for the zone so it doesn't send user requests out unless it's
> someone elses stuff.
>
>   Most books(like Cricket's) won't outline that type of scenario because it's
> actualy "broken".

Huh? What you're describing is covered in the "DNS and Internet Firewalls" section
of 3rd Edition, Chapter 15, and the sample 4th Edition chapter at
http://www.oreilly.com/catalog/dns4/chapter/ch11.html. There's nothing
"broken" about it. It's actually quite a common configuration. The only thing
you're doing slightly differently from the "shadow namespace" or -- as it's called
in 4th Edition -- "split namespace" diagram is that the master for the external
version of your domain is your ISP's nameserver instead of a box in your "perimeter
network". That's just a slight variation, and also I believe quite common.

> You can't use real internet IP's or you'll have to have an
> in-addr.arpa zone for a class "C" subnet that you don't own.

You could always use "private" addresses. See RFC 1918. Those are unroutable on the
Internet (in theory, at least) and you don't need to worry about having
"stolen" someone else's legitimate address range for your internal use. Just make
sure to define the appropriate reverse zone(s), e.g. 168.192.in-addr.arpa,
otherwise your reverse lookups may leak out onto the Internet and annoy Bill
Manning :-)


- Kevin

> Adam Lang wrote:
> >
> > I've been reading through Mr. Langfeldt's DNS book and have a few questions.
> >
> > I'm a company with about 100 people.  I have a dedicated ISP with PSINet.
> >
> > I am going to setup DDNS and DHCP internally.
> >
> > I want PSINet to host the master server to handle public accessible IP
> > addresses.  I want another server internally that will be used as a cache
> > and a DDNS and have the private IPs of the network.
> >
> > The server that I want to setup, what exactly is it called?  Is it a slave
> > server?
> > Are there problems with what I'm planning on setting up?
> > Any input/comments will be appreciated.
> >
> > Adam Lang
> > Systems Engineer
> > Rutgers Casualty Insurance Company
> > http://www.rutgersinsurance.com

More information about the bind-users mailing list