Apparent confusion between dns zones and internal network IP assignments

Sun Jul 27 07:46:34 UTC 2003

Single dual processor machine with 3 eth cards running under Mandrake
Linux 9.1 with Bind 9.2.2, Apache 2.0.47 and Sendmail 8.12.9-5.

3 registered URL sites point to the one external IP which is on eth2. 

The idea is that each of the 3 sites would have a presence on
IP-aliased eth0, along with in-house workstations connected via a hub.
All incoming traffic for eth0 addresses would be prohibited from the
external internet, period.

Eth1 would handle the mail and www servers for each of the 3 sites,
all separately numbered with static ips. (In the past, with a single
site, www and mail appeared in the /var/named db for that domain) This
would constitute the DMZ with incoming traffic limited to apache and
sendmail needs.

My thinking was that splitting up traffic according to security issues
would make it easier to manage firewalling in the future. Furthermore,
because I want to use SSL with Apache2, I have to use IP based virtual
hosts rather than name based.

But when I try to effect this in terms of dns/bind, I quite honestly
become confused.

For example, in the case of domain1, I would assign 192.168.10.1 to
host.domain1.com (eth0) which is also identified as the local dns
server. Is it correct to include in domain1's db record the IN A
records for mail (192.168.20.1) and www (192.168.20.2) which would
connect via eth2 and eth1:1 respectively? OR is it preferable to
renumber them as if they were on the same network (192.168.10.2 and
192.168.10.3).

It seems to me that the first scheme makes it easier to identify the
traffic being carried by the IP number, while the second one would do
so by virtue of the card through which the traffic is funnelled. In
either case, I like to feel firewalling applied later will have a
better chance to do its thing.

The second scheme means I can live with a zone for each domain we are
serving. The first one presents challenges in the reverse named files
that I cannot see how I can resolve without setting up a separate file
for each and every IP.

I freely admit I have gone around and around on this far too long. I'd
really appreciate some kind soul putting the brakes on this
merry-go-round of mine so I can regain my life, or at least the
creative side of it!

My sincerest thanks for sharing your insights with me.

George