BIND and named

[wuboy]

hi folks,

i'm not sure about how to solve this issue, so i thought i'd ask it here...

let's say i have a DNS server that is authoritative for a specific zone, but it is behind a firewall and being NATed. the server would be a master DNS server if it werent being NATed.

now, logically, i think i would have to create separate zone files for the internal network and the external network. in this case, i would probably need to run two separate instances of named...

does anybody know whether this is possible? or more specifically, whether my thinking is correct...

thanks.

 

[ScottMac]

I'm prettty sure you only run a single instance of bind / named, you just need to declare the zones within the DNS config files. If my (clouded) memory serves me right, the common way of doing that is to point to a separate file for each zone from the master named config / db file.

FWIW

Scott

 

[n0cmonkey]

There is a reason why ScottMac is Elite

If my "Im not getting kernel panics right now thank god!" mind is reading his statement correctly, he is right.

db.internal.net for internal
db.external.net for external
db.10.100.0 for internal
db 212.212.212 for external

(something like that, dont feel like opening the bind bible or an ssh connection )

 

[Nothinman]

It's possible to run 2 copies of bind, some products such as Secure Computing's SideWinder firewall do this for added security, but it's not necessary by any means. You would just need 1 bind config file per instance of bind.

 

[wuboy]

thank you to the elite and to the platinum!

ok, i am understanding it a little more, but i was a little confused by what n0cmonkey wrote.

please forgive my ignorance, but i might need a little more clarification.



<<
db.internal.net for internal
db.external.net for external
db.10.100.0 for internal
db 212.212.212 for external
>>



so according to the logic, i would have to declare the zone files within ONE named.conf file, and then define each of the zone files in my /var/named directory, or whichever directory i specify.

now, everything makes sense to me, except... let's say i have a zone... foo.stupidwuboy.org.
in my named.conf file, i will specify the zone file for foo.stupidwuboy.org... but i will have to specify two files for this zone? one for the internal, one for the external? is it possible to do that? and then i put these files into the directory that i specify?

i am understanding it more, thanks to your help... but i think there is this small obstacle that i need to figure out for implementation.

thanks all!

 

[Pheran]

wuboy,

If I'm understanding your question correctly, you're going to need two separate systems, one for external DNS and one for internal.

While it is possible to run more than one instance of BIND, it generally won't do you much good because only one of them will be able to listen on UDP/TCP port 53, the standard DNS port. You could run another instance on a nonstandard port, but no client would ever be able to talk to it unless it had been hacked/configured somehow to use that nonstandard port. The only way I can think of that this would be useful is if your NAT router had a feature that would actually forward incoming port 53 requests to a different port number, but that's a feature I haven't seen before.

A single instance of BIND can certainly serve multiple zones (which is what n0cmonkey is referring to), but there's no way you can serve a single zone with two conflicting sets of info (i.e. the internal and external IP addresses). If you don't mind putting your LAN systems into a different domain (it could even be a subdomain of your registered domain), you can make it work that way. It depends quite a bit on what you are trying to accomplish.

 

[wuboy]

pheran,
thanks for ur suggestions
i'll clarify some things...



<<
If I'm understanding your question correctly, you're going to need two separate systems, one for external DNS and one for internal.
>>



I was thinking of taking this route, but we dont have enough boxes to accomplish this... however, there are still some caveats that i need to smoothen out in order to use this solution as well...



<<
A single instance of BIND can certainly serve multiple zones (which is what n0cmonkey is referring to), but there's no way you can serve a single zone with two conflicting sets of info (i.e. the internal and external IP addresses).
>>



YAH! that's what i was thinking also! however, somehow i think there is some way to do it... hm.

FWIW, i think what i'm trying to accomplish is something of a split DNS. i did a little research on it, and it could be a solution, but i havent implemented it yet know for certain.

the reason i need this information is... i need to set up two... yes TWO... m$ *gasp!* boxes... that are running active directory. furthermore, i will need to have workstations join the domains of these boxes and be part of these domains. now, research tells me that AD is based a lot on DNS, so i want to figure out the best way to get this to work. this entails having internal machines (the AD machines behind a firewall) being able to authenticate public (not private) workstations.

it is not my choice to do this! but it is an environment that i was forced to use in order to get workstations up and running.

frustrating, to say the least!

 

[n0cmonkey]

OpenBSD can redirect port 53 traffic to another port just fine. But I doubt thats a sollution you are going to look at

 

[wuboy]

n0cmonkey,

haha thanks. if it were up to me, i would try it... i use freeBSD at home as my gateway.
but at work i need to stick with red hat. oh well.

at any rate, it's not a problem of redirecting the port 53, i can do that fine with iptables. i believe my problem is in the split DNS configuration. i have some sort of bastardized case that i cant find anywhere...

thanks n0c! i want to try out openBSD sometime in the future, so if i have questions i will ask u

 

[n0cmonkey]

<< n0cmonkey,

haha thanks. if it were up to me, i would try it... i use freeBSD at home as my gateway.
but at work i need to stick with red hat. oh well. >>



Im sorry



<< at any rate, it's not a problem of redirecting the port 53, i can do that fine with iptables. i believe my problem is in the split DNS configuration. i have some sort of bastardized case that i cant find anywhere... >>



Check out djbdns (at http://cr.yp.to). It may be able to handle this better.



<< thanks n0c! i want to try out openBSD sometime in the future, so if i have questions i will ask u >>



Ill be here.