internal external ?

Kevin Darcy kcd at daimlerchrysler.com
Fri Oct 7 22:00:28 UTC 2005 

RYAN vAN GINNEKEN wrote:

>Hello all i am having some troubles with my dns
>
>here is the scenario
>
>I have a cable modem supplied by my isp with 2 connections to the inet 
>one rj45 the other usb also i have 2 static ip's
>ip address # 1 is my FreeBSD box that has an 192.168.0.202 internal and 
>external 68.x.x.1 address this box is called computerking.ca among other 
>things and controls my internal LAN firewall etc.  I have this machine 
>set up with internal and external views using bind it also controls 
>several other domains namely canmail.org
>ip address # 2 is my  new Fedora/email server with an external address 
>of 68.x.x.2 and is not hooked to my LAN in anyway (that i am aware)
>
>I can access the Freebsd boxes domains both internally and externally 
>however i can only access the canmail.org domain from outside my LAN 
>why?  Do i need an internal record for it? I realize that i need to add 
>internal records for domains that are hosted by the computerking.ca 
>server but canmail.org is not on the LAN and has its own ip address. 
>Actually i have to add internal records now as my slave server is broken 
>when slave is operating properly i can get to all domains without problems.
>
>I have added the internal record for canmail and everything seems to 
>work but i am confused why is canmail.org internal? sorry for the 
>possibly silly post but i am curios as to what is going on.
>
>
>$TTL 3600
>
>canmail.org. IN SOA ns1.computerking.ca. root.computerking.ca. (
>        2005100701      ; SERIAL
>        1200            ; SOA REFRESH
>        120             ; SOA RETRY
>        1209600         ; SOA EXPIRE
>        3600 )          ; SOA MINIMUM TTL or Negative caching TTL
>
>;------------------------------------------------------------------------------
>; NAME SERVERS (the name @ is implied)
>;------------------------------------------------------------------------------
>canmail.org.            IN NS           ns1.computerking.ca.
>canmail.org.            IN NS           ns1.shoemasters.com.
>
>;------------------------------------------------------------------------------
>; MAIL EXCHANGERS
>;------------------------------------------------------------------------------
>canmail.org.            IN MX           5  mx1.canmail.org.
>canmail.org.            IN MX           10 mail1.computerking.ca.
>canmail.org.            IN MX           20 mail1.shoemasters.com.
>
>;------------------------------------------------------------------------------
>; ADDRESSES FOR THE CANOCICAL NAMES ( A records)
>;------------------------------------------------------------------------------
>canmail.org.            IN A            68.146.204.153
>mx1.canmail.org.      IN A              68.146.204.153
>www.canmail.org.     IN A         68.146.204.152
>
>;------------------------------------------------------------------------------
>; ALIASES
>;------------------------------------------------------------------------------
>mail.canmail.org.               IN CNAME        www.canmail.org.
>mm.canmail.org.                 IN CNAME        www.canmail.org.
>
>;==============================================================================
>;end of file
>
I'm not sure what you mean by "the internal record"? You indicated that 
the canmail.org box isn't multi-homed, so you can't mean that you added 
an A record for its "internal" address (e.g. 192.168.x.x) to an internal 
version of a canmail.org zone. So what exactly do you mean by "the 
internal record"?

One thing you should double-check is that the names of both of the 
delegated nameservers for canmail.org (ns1.computerking.ca and 
ns1.shoemasters.com) are resolvable from the internal view, and that 
whatever those names resolve to are actually queriable from the internal 
view. Sometimes, for various reasons -- firewalls, NAT, load-balancers, 
whatever -- nameservers have trouble talking to themselves on their 
externally-visible addresses. In such cases, either you have the 
delegated nameservers resolve the name from each other (the fact that 
your slave is down might explain why resolution stopped working), you 
define the relevant zone(s) explicitly in the internal view (e.g. as 
master, slave, forward), or at least you define a zone in the internal 
view that resolves the externally-visible name of the nameserver to its 
internal address, thus effectively "overriding" what is in the external DNS.

                                                                         
                                                - Kevin

More information about the bind-users mailing list