"Abusing" BIND DNS Server as Networked HOSTS File...
Kevin Darcy
kcd at daimlerchrysler.com
Tue May 25 00:36:32 UTC 2004
Axel Werner wrote:
>Hi there Newsgroup!
>
>I got a problem today and didnt find a solution yet. Maybe u guys can help
>me out a bit.
>
>
>Problem is, my Host uses multiple Hostnames and does have multiple domains.
>Some for EXTERNAL (internet side) some for Internal (LAN) use.
>
>So my Gateway/router is called "gateway.dyndns.org" from the Internet side
>and "gateway.lan" on the lan side. For the LAN Clients i put a BIND 9.x DNS
>Server on that Gateway too, to FORWARD non local request to ISPs DNS and to
>resolve local requests for all networked clients. BUT...
>
>but my Gateway/Router itself is called (HOSTNAME) "gateway.dyndns.org". (
>etc/hosts etc.)
>
>The Gateway does do routing+NAT (Masq) on the internet-IF PPP0:.
>
>Now, if a Networked Client does a nameresolution like "nslookup gateway.lan"
>it will say "192.168.0.1" as it is right. But if the client askes for
>"gateway.dyndns.org" the Client will get the PUBLIC IP of the
>Gateway-Server on its PPP0 IF.
>
>Now, i would like the DNS to Return the Clients his LAN Adress insted of its
>EXT IF Adress. BUT it should not think that it is MASTER Server of a Zone
>called "dyndns.org" or something. So i guess its no good idea to put an
>adidional Zone called "dyndns.org" on it, right?
>
>But is there any "Quick n Dirty" solution to fix that? can i modify the
>[ROOT].zone file for example and add one or two of these DynDNS Hostnames
>there with an "A" Record??
>
>Any suggesstions?
>
No, a root zone won't help here. You can't skip zone levels like that.
If you add a gateway.dyndns.org record in a private root zone, the
nameserver would assume that that's the only entry under dyndns.org and
so it would be as bad or worse than defining a private dyndns.org itself.
Instead, define gateway.dyndns.org as its own zone. Same for any other
names for which you may want to "spoof" name resolution. Just make sure
none of this spoofing is visible to Internet DNS clients. If at some
point you decide you want to serve some Internet zones, and you don't
have budget for another nameserver, you could look into using the "view"
feature to serve up different data to different sets of clients (or do
it the older way by having multiple BIND instances listening on
different interfaces).
You may also want to consider not forwarding to your ISP's nameservers,
if you have a choice in the matter. Frequently, forwarding doesn't
deliver the performance benefits that people expect. Doing your own
iterative resolution also makes you less dependent on your ISP's
nameservice.
- Kevin
More information about the bind-users
mailing list