DNS setup for a one-machine DMZ

Barry Margolin barmar at bbnplanet.com
Fri Oct 8 14:57:12 UTC 1999


In article <37FD1A27.18B3B7B1 at vizdom.com>,
John Lacey  <johnl at vizdom.com> wrote:
>I probably just stew about such things too much, but I am having
>trouble deciding how to configure a one-machine DMZ. That machine
>will run pretty much all the usual suspects: www, ftp, mail
>gateway, primary external DNS. That leads to up to five names for
>the one machine: www, ftp, mail, ns, and vizdom.com.
>
>I'm planning on splitting the DNS between the internal and
>external network. The DMZ machine's names will be the only things
>in the external DNS.
>
>1. The www, ftp, and vizdom.com names are justified by being
>well-known names that people use and remember. Having ns gives me
>something reasonably stable to register with InterNIC. Is there a
>good reason, or indeed any reason, to have a separate name for
>the mail gateway, or should I just point the MX record at one of
>the other names?

It's best for MX to point to the name that the machine knows itself as,
i.e. what the "hostname" command displays (if it's Unix).  The same thing
goes for NS records, although I think modern versions of BIND are pretty
good at dealing with alternate names (they check whether the A record
points to one of its own addresses).

>2. Presumably ns goes in the SOA record?

It doesn't really matter what you put in the SOA record, since nothing
important uses it.

>3. Which name should the PTR record point at?

Whatever name you want to show up when someone translates the address to a
name.  It must have an A record.

>4. Should I use A or CNAME for the aliases? (I know I need to
>have A records for the SOA and MX hosts, but what about www, ftp,
>and particularly vizdom.com?)

The domain itself can't be a CNAME record, because of the rule against
CNAME records having other records (in this case, the SOA and NS records).
NS and MX records have to point to A records, but the others can be CNAME
records.  My general recommendation is to use CNAMEs whenever feasible.

>5. Is there anything special about listing the domain itself
>(vizdom.com) in the DNS? Some sites do this, and others don't.
>I'm doing it for the reason I suppose most people do these days,
>so that people can get to our web site if they leave off the www.

No, there's nothing special about it.

>6. I don't have the actual machine name listed anywhere in the
>external DNS. Are there any problems with this?

As I mentioned above, mail servers and DNS servers often work best if the
MX and NS records point to the name the machine knows itself as.  This
prevents them from trying to loop back to themselves if something goes
wrong with the DNS or mail configuration and they try to follow the MX/NS
records.

>7. I have seen split DNS configurations where the firewall host
>runs a secondary DNS but I'm just using a router between the
>internal and external networks. I can't think of a way to
>configure the DNS so that the DMZ machine can see both the
>internal and external DNS. I'm not sure it needs to see the
>internal DNS at all, however. The only reason I can think of is
>for the mail gateway, which I should be able to configure using
>IP addresses.

Put the address of the internal DNS in the DMZ machine's /etc/resolv.conf.
The internal DNS should use "forwarders" to forward queries for external
names to the DMZ machine.  

-- 
Barry Margolin, barmar at bbnplanet.com
GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.


More information about the bind-users mailing list