Please help me set up DNS/Bind 9

Kevin Darcy kcd at daimlerchrysler.com
Thu Dec 15 00:23:34 UTC 2005 

Ben Abrams wrote:

>I have a fresh install of Red Hat ES 4.0 and want to set up DNS to use internally.  We have a NAT-ed network with a single outside IP address.  We do email internally for about 70 users.  I want the machines within our network to query our internal DNS for the resolution of machines internally with internal addresses (192.168.2.xxx), but then use our ISP's DNS for resolution of anything outside our network.  
>
Would be you *forced* to use your ISP's nameservers, or would you be 
free to query Internet nameservers as you wish? If you have to use your 
ISP's nameservers, you'd set up a classic "forwarding" configuration, 
but generally speaking you get better performance and reliability if you 
just bypass your ISP's nameservers and query the Internet DNS directly. 
That would be called a "caching-only" or a "hints-file-based" configuration.

>There would not be any outside queries to our DNS server.  
>
OK, good. How is that enforced? Are you relying *only* on the nameserver 
configuration to prevent this, or do you have firewalls, 
intrusion-detection/-prevention systems, routing limitations, etc. that 
prevent these queries from getting in and/or the responses going back 
out? You can certainly put "allow-query { 192.168.2.0/24; }" in your 
config, but I'd be nervous if that is the *only* line of defense I had 
against unauthorized querying.

>Bind 9 is installed, but I'm very confused as to how to set it up to do what I want it to - and which files to change.  Please forgive my misuse of any DNS lingo.  Also, what type of DNS server do I need in this setup...master? slave?
>
A single BIND instance can be master for some zones, slave for others, 
stub for others, forward for others, and so on. Ultimately, those terms 
apply to zones, not whole servers. In this case, I'd expect that you'd 
be master for your own zones, and you'd either a) forward to your ISP's 
nameservers for resolution of everything else, or b) use the Internet 
root hints file to get the information from Internet nameservers 
yourself. See discussion above.

                                                                         
                                                - Kevin

More information about the bind-users mailing list