Simple dual dns question...

Kevin Darcy kcd at daimlerchrysler.com
Tue Jun 27 19:24:13 UTC 2000


marc wrote:

> Hey guys,
>
>    I just bought the O'Reilly book and have been searching the
> archives, but alas I have not found a suitable answer for a simple
> configuration issue. I have a DNS server running for my internal
> network. I'm running FreeBSD on a dual homed machine. One interface
> is my private network, and another the big bad internet. I am running
> fwtk (a Guantlet derivitive) on my firewall and everything is peachy.
> However, now I want to run a webserver. My question is which is the
> better way to approach this: using the listen-on directive and enter
> my external ip and info in my named.conf file or run two copies of
> named. I have not found a lot of info on the tradeoffs between the two
> or even example config files.. I guess I need an external and internal
> nameserver.. Can anyone kinda walk me along? Perhaps with example
> named.conf and assiociated files?

Run multiple instances on the firewall:

The "private" instance listens on loopback and (optionally) the internal
interface. It is configured with an Internet root hints file, so that it
can resolve Internet names, and has "stub" definitions for the apex of
each internal domain, e.g. example.com , foo.org, so it can resolve all
internal names as well.

The "public" instance only listens on the external interface. It too is
configured with an Internet root hints file, although this is not likely
to ever be used for answering queries. All of the external versions of
your zones are defined as master in this instance, and recursion is
heavily restricted (either restrict to just loopback and
(optionally) your own extranet, via "allow-recursion", or turn recursion
off completely via "recursion no"). If you're exceptionally paranoid, you
could restrict even *iterative* queries via "allow-query", but this seems
rather overkill since the only zones on the instance are the ones you
*want* to serve, and the root zone, which is also public knowledge. Plus,
when disallowing queries by default, the CLASS=ANY bug of BIND will cause
certain legitimate queries to be refused, and the refusals to be logged,
which is a minor annoyance.

In order to keep the instances from stomping on each other, they'll need
different values in the "listen-on", "directory" and "pid-file" options.
Optionally, you may wish to separate their logging via a "logging"
statement, and if you use "ndc" to control the nameservers, you'll have
to configure instance-specific aspects of that as well.





- Kevin




More information about the bind-users mailing list