Please help me set up DNS/Bind 9
Kevin Darcy
kcd at daimlerchrysler.com
Thu Dec 15 00:23:34 UTC 2005
Ben Abrams wrote:
>I have a fresh install of Red Hat ES 4.0 and want to set up DNS to use internally. We have a NAT-ed network with a single outside IP address. We do email internally for about 70 users. I want the machines within our network to query our internal DNS for the resolution of machines internally with internal addresses (192.168.2.xxx), but then use our ISP's DNS for resolution of anything outside our network.
>
Would be you *forced* to use your ISP's nameservers, or would you be
free to query Internet nameservers as you wish? If you have to use your
ISP's nameservers, you'd set up a classic "forwarding" configuration,
but generally speaking you get better performance and reliability if you
just bypass your ISP's nameservers and query the Internet DNS directly.
That would be called a "caching-only" or a "hints-file-based" configuration.
>There would not be any outside queries to our DNS server.
>
OK, good. How is that enforced? Are you relying *only* on the nameserver
configuration to prevent this, or do you have firewalls,
intrusion-detection/-prevention systems, routing limitations, etc. that
prevent these queries from getting in and/or the responses going back
out? You can certainly put "allow-query { 192.168.2.0/24; }" in your
config, but I'd be nervous if that is the *only* line of defense I had
against unauthorized querying.
>Bind 9 is installed, but I'm very confused as to how to set it up to do what I want it to - and which files to change. Please forgive my misuse of any DNS lingo. Also, what type of DNS server do I need in this setup...master? slave?
>
A single BIND instance can be master for some zones, slave for others,
stub for others, forward for others, and so on. Ultimately, those terms
apply to zones, not whole servers. In this case, I'd expect that you'd
be master for your own zones, and you'd either a) forward to your ISP's
nameservers for resolution of everything else, or b) use the Internet
root hints file to get the information from Internet nameservers
yourself. See discussion above.
- Kevin
More information about the bind-users
mailing list