Advanced BIND stuff - some help needed

growse · 29 Mar 2009 at 18:09

I'm trying to do something with BIND and DNS that I'm not sure is possible.

I run the DNS for a domain. Currently, the DNS is run on a box somewhere in the states and serves as the authoritative nameserver. However, some of the hosts in the domain are at my home, behind a NAT. I wish to use the same domain to address those hosts at home.

The problem comes, because if I just have the authoritative external nameserver, I can't put my RFC1918 addressed internal hosts in the zone file - anyone requesting an internal name would get a 192.168.0.0/24 address. Therefore, if I want to keep the same domain for internal hosts, I need to run another nameserver on my internal network for the same domain. This lists both the internal and external hosts for that domain.

So, currently, if a random host on the internet looks up x.growse.com, they ask the external nameserver. If a host on my network looks up x.growse.com, they ask my internal nameserver, which claims to be authoritative for growse.com.

It's a bit of an issue trying to keep the external hosts list consistent between the internal and the external ns - if I make a change on the external one, I need to make the same change on the internal ns so that internal hosts can see it. What I'm really after is probably one of two things:

1) Make my internal NS a slave of the external master, but then extend that domain somehow to include private hosts that only should be resolved inside the network (don't know if BIND can do this?)

2) Make my internal NS a hidden primary for the domain, and get the external NS to be a slave to it. No-one else on the internet uses my internal NS as a resolver (it's hidden). Using BIND's views, I think I still need two separate zone files though, which is what I'm trying to avoid.

So, how do I do this?

s0ck · 1 Apr 2009 at 00:18

Netmask ordering on your local NS?

Bob Wya Jnr · 4 Apr 2009 at 11:13

Hi

I had a play around with setup a DNS Server and DNS Caching 2-3 years ago. As I recall it was very easy to setup TinyDNS and DNSCache software by Daniel J. Bernstein. He also wrote qMail which is the backend mail server software used by the likes of Yahoo!!

Tiny DNS

I recall there was a mailing list (or Forums) that was quite helpful when I got stuck.

BIND is hard to setup and has a lot of security vulnerabilities (like allowing recursive DNS lookups).

Bob

growse · 4 Apr 2009 at 12:09

Bob Wya Jnr said:
Hi

I had a play around with setup a DNS Server and DNS Caching 2-3 years ago. As I recall it was very easy to setup TinyDNS and DNSCache software by Daniel J. Bernstein. He also wrote qMail which is the backend mail server software used by the likes of Yahoo!!

Tiny DNS

I recall there was a mailing list (or Forums) that was quite helpful when I got stuck.

BIND is hard to setup and has a lot of security vulnerabilities (like allowing recursive DNS lookups).

Bob

Well, I played with djb's DNS stuff a while back, and it wasn't for me - I didn't find it as functional or as easy to set up. I also dispute the statement "has a lot of security vulnerabilities" - it's got it's fair share, but I think it's disingenuous to imply that it's got a disproportionate amount. (Don't get me started on qmail though - the bane of the internet

).

I've still not had any luck solving this issue - I think I'm doomed to maintain to separate but very similar zone files for a while to come yet.

Beansprout · 4 Apr 2009 at 12:13

Bob Wya Jnr said:
BIND is hard to setup and has a lot of security vulnerabilities (like allowing recursive DNS lookups).

Bob

It's not that hard to setup if you have a good knowledge of DNS, and recursive lookups are a feature which can be easily disabled

Bob Wya Jnr · 4 Apr 2009 at 13:53

Like I said guys I only dabbled - setting up a mail server - and it was a while ago!!

Bob

slylittlefox · 4 Apr 2009 at 14:20

Would it not be easier to have skewed domain names for the internal addresses? That is, x-int.growse.com? (int meaning internal of course)

That's how we work it, and if it's only you who's going to be accessing the machines internally then it's the probably the easiest way to go about it.

However, I'm sure you can do what you want in the way you describe. I have a limited knowledge of DNS, but surely if your internal DNS server claimed to be authorative for growse.com (and had the relevant entires for such), and your machines were set to look to that for their DNS, the server would give out the internal IPs for addresses it knew (i.e. any under growse.com) and look to a root server for any it didn't.

Apologies if I've just been stupid

yashiro · 4 Apr 2009 at 16:41

How big is your internal network?

growse · 4 Apr 2009 at 18:34

slylittlefox said:
Would it not be easier to have skewed domain names for the internal addresses? That is, x-int.growse.com? (int meaning internal of course)

That's how we work it, and if it's only you who's going to be accessing the machines internally then it's the probably the easiest way to go about it.

However, I'm sure you can do what you want in the way you describe. I have a limited knowledge of DNS, but surely if your internal DNS server claimed to be authorative for growse.com (and had the relevant entires for such), and your machines were set to look to that for their DNS, the server would give out the internal IPs for addresses it knew (i.e. any under growse.com) and look to a root server for any it didn't.

Apologies if I've just been stupid

I don't think so. If I don't have an entry in my internal zone file for a host that's listed in the external zone file, internal hosts can't resolve it. Because the internal DNS server claims to be authoritative for growse.com, any request for an entry not listed there gets returned as not found. If there was a way to flag the zone and say "if not found, go over here instead", that'd be great, but I can't find that.

The only way to achieve it that I can see is to have a different domain on the inside, like int.growse.com. Then my internal domain server could be authoritative for int.growse.com, so each host would be host.int.growse.com. ext-host.growse.com requests would get forwarded to the external one, and resolve correctly.

I'm going to give this a go and see if it works...

yashiro said:
How big is your internal network?

Quite small - 7-8 hosts.

Subliminal Aura · 5 Apr 2009 at 15:34

I run my mail and web servers from home (no I'm not cheap as the leccy costs more than hosting)

Here's how I do it.

NS0 for the world. (Master/caching your domains with public IP addresses)

NS1 for local LAN users. (Master/caching your domains with private IP addresses)

DO NOT master/slave them and why you would want to is beyond me.

For a LAN user all domains are resolved by NS1 (ie your local domains take priority), if it can't resolve, the machine automatically forwards the request to either NS0 or your ISPs as per your configuration.

Yes it does mean you run two separate nameds and have to administrate them separately but on the plus side if you only have 1 ip address you can easily failover services like mail/web onto different machines without having to worry about DNS changes...

All fun stuff