Re: Modified Split DNS Question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, 09 Oct 2003, Jake McHenry wrote:

> One other question. I only have one dns server as of right now, behind a
> firewall. If any machines that are behind the firewall with the server, they
> are going to that server for dns, which is pointing to a public IP.
> 
> This is why I wanted to set the search and domain to search for the private
> stuff first.
> 
> The only way I have been able to get around the public IP showing up in the
> logs for what should be the private machines is putting the ip and domain
> names in the hosts files on the client machines.
> 
> Does anyone know of a way to get around using the hosts files on each
> individual machine?

Jake,

I'm trying to get a handle on what you're trying to do.  Are you trying
to set up a DNS server that serves both public and private queries?  In
other words, do you want to configure it so that when other machines
behind your firewall query for something.nittanytravel.com, it'll
return their private addresses and when clients on the outside, from the
Internet, query for something.nittanytravel.com, it'll return your
public address(es)?  This is indeed called split DNS.

To do this, you'll use the "view" statements in BIND (9?).  Roughly, this is
how you'd do it....

view "internal" {
   match-clients {
      192.168.1.0/24;
   };
   zone "nittanytravel.com" {
      type master;
      file "nt-private";
   };
};
view "external" {
   match-clients {
      any;
   };
   zone "nittanytravel.com" {
      type master;
      file "nt-public";
   };
};

This is assuming that nt-private will hold the private DNS info for
nittanytravel.com and nt-public holds the public DNS info.  It's also
assuming that your private network is 192.168.1.0/24.

You also might want to configure the server to only allow recursive
queries from your internal clients.  Add the following to your options
section:

allow-recursion {
   192.168.1.0/24;
};

(BTW, if you do this single server config, you probably should have some
sort of DNS "proxy" in front of the firewall that'll forward valid queries
through to the real DNS server and configure the fw to only allow port 53
traffic through to your DNS server from the DNS proxy.  This might not
be possible if you only have a single IP address.)

HTH,
pete


-- 
Shrike-list mailing list
Shrike-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/shrike-list
[Index of Archives]     [Fedora Users]     [Centos Users]     [Kernel Development]     [Red Hat Install]     [Red Hat Watch]     [Red Hat Development]     [Red Hat Phoebe Beta]     [Yosemite Forum]     [Fedora Discussion]     [Gimp]     [Stuff]     [Yosemite News]

  Powered by Linux