Master ns on internal lan

Torinthiel torinthiel at data.pl
Sun Mar 20 11:14:04 UTC 2011 

On 03/20/11 11:13, x_bind-users_x at nospam.pz.podzone.net wrote:
> Hi,
> 
> I'm trying to figure out how to configure my nameservers so that the
> master can reside on an internal LAN *only* address.
> 
> I already have it configured such that the master is (almost) hidden
> while residing on a public IP.  So I should present that first:
> 
[cut]
> 
> As you can see, ns0 isn't quite totally hidden - it shows up in the
> SOA record.  I tried using ns1 in the SOA but then ns1/ns2 failed to
> update correctly when the zone file was updated on ns0.  I never
> figured that out and don't see it as a big deal from a privacy POV but
> I accept that probably it's not optimally configured.

And solving your main problem will probably solve this as well.


> Now on to my question. ;-)
> 
> Ideally I would like to manage the zones on a main internal server,
> which would serve the internal LAN (including an internal-only zone)
> as well as somehow keeping the public slaves up to date.  Part reason
> for this is a policy to shift all internal services onto the LAN and
> away from the DMZ.
> 
> This is the plan:
> 
> main.mydomain.net - Internal LAN only.
> 
> ns0.mydomain.net - Gateway/firewall, public IP (ADSL) + internal LAN.
> 
> ns1.mydomain.net - Public nameserver.
> 
> ns2.mydomain.net - Public nameserver.
> 
> main acts as master for ns0 slave. (and serves dns for the lan)
> 
> ns0 acts as master for ns1/ns2 slaves. (and serves dns for the dmz)
> 
> This is the problem, I cannot see how to configure the SOA and conf
> files such that zone updates will be notified main -> ns0 -> ns1/ns2.

try putting this in config:
on main:
zone "mydomain.net" {
type master;
...
allow-transfer { ns0.mydomain.net; };
also-notify { ns0.mydomain.net; };
}

on ns0:
zone "mydomain.net" {
type slave;
...
allow-notify { main.mydomain.net; };
allow-transfer { ns1.mydomain.net; ns2.mydomain.net; };
also-notify { ns1.mydomain.net; ns2.mydomain.net; }
}


on ns1/2:
zone "mydomain.net" {
type slave;
...
allow-notify { ns0.mydomain.net; };
}

The allow-notify makes slave servers to accept notify messages from
someone that's not listed as master in SOA. Putting this on ns1/2 will
probably solve your first issue, with ns0 not completely hidden.

also-notify makes bind send notify messages to those servers. Probably
also-notify on ns0 is not needed, as ns1/2 are listed in zone as NS. But
on main it will be neeed, as ns0 is not listed as NS for your domain.

If you want to put ns1 at SOA as master, then you'd also need notify no
at ns1 (so it won't send notifies at all), and notify-to-soa yes at ns0
(so it will send notify to ns1).

Oh, and I really hope ns0.mydomain.net has static IP address even though
it has ADSL. If no, you can either use ip/length or (even better) use
TSIG keys as authentication.

Regards,
 Torinthiel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110320/75e5908e/attachment.bin>

More information about the bind-users mailing list