DNS resolution to private IP BIND server keeps resolving to public address...??

phn at icke-reklam.ipsec.nu phn at icke-reklam.ipsec.nu
Fri May 17 06:01:39 UTC 2002 

Josh Klein <jk74 at att.net> wrote:

> OK - here's my issue:
> I needed to setup a DNS server internally. I used BIND on REDHAT 7.2.
> ng ok. This box is behind my firewall and has a private IP, however it
> is also setup to communicate with a public IP out on the web via a
> static NAT map through my firewall.

> Because this box is running sendmail and also needs to receive mail
> for a service I have running on there (WREQ help tracking), it's
> registered on the internet as well with my DNS provider so that it can
> receive email properly.

> The problem is that now sometimes my PC (private network), instead of
> picking up the private address of that DNS box, it resolves the public
> address instead and then cannot communicate because my firewall
> (Sonicwall) doesn't let internal hosts go out and communicate with a
> public address that is setup to be statically-mapped via NAT back
> through the fireall to an internally addressed box. So, when my PC
> tries to resolve that server it bombs if it uses the public address.

Is the public address expressed in other DNS-servers only ? And does 
the rh server only contain the internal address ?



> What's strange is that sometimes it resolves the private IP of that
> box and then it works perfectly. I have my primary DNS server set on
> my PC to be that of the internal address of the DNS server. The DNS
> server is also acting as a cache/forwarder so it will go out and
> return lookups for my PC and that is working.

> I don't know why sometimes it screws up and starts using the public
> address. I guess perhaps it's getting that from another DNS server and
> that's what is screwing things up.

Guessing is not enough, here seems to be a problem that needs
resolving. Why do the clients _sometimes_ get the outside address ??

> I have somewhat determined (through various readings, posts, etc) that
> I either need 2 DNS servers, one to cover the outside boxes I intend
> to have and one to cover the internal addresses...or I need something
> called a Split-Horizon DNS setup....something I've read that BIND is
> very tricky with and that perhaps another DNS server might do better
> at.

Split DNS _is_ the way. And bind does this good, bind-9 with views does it 
excellent. Just read the manual.



> The other, and last thing I'm sure that could help me would be a local
> hosts file that just points to the private address of that
> server...however I don't want to have to maintain individual hosts
> files on all of my PC's here on my LAN.

Aggree. hostfiles are evil.

> I'd appreciate comment and requests for additional information on this
> subject that you might need to help me figure this one out. Thanks.

> JK


-- 
Peter Håkanson         
        IPSec  Sverige      ( At Gothenburg Riverside )
           Sorry about my e-mail address, but i'm trying to keep spam out,
	   remove "icke-reklam" if you feel for mailing me. Thanx.

More information about the bind-users mailing list