Newbie - config questions

Tilman Schmidt Tilman.Schmidt at
Wed Mar 1 12:08:18 UTC 2000

At 11:10 01.03.00 +1100, Bryan Tonnet wrote:
>I see.  From what you say below, however, the internal BIND should
>contain all known addresses (real or IP masqueraded), whilst the ISP has
>only the subset of 'real' addresses?

Correct so far.

> > Personally, I prefer to have full control over my domain, so I would
> > always make my own server the primary and have the ISP's servers as
> > secondaries. But if it is more practical for you to have your zone
> > files maintained by your ISP, that's ok too.
>If I make an internal machine the primary, and ask the ISP to secondary
>the zone, how do I stop the 192.168.x.y addresses from being xfer-ed up
>to the ISP.

You can't. You need two separate primaries, one containing only the
externally visible part of the zone (in your case, the subset of 'real'
addresses, if I understand correctly) and serving the world, and the
other containing the complete zone (both externally visible and private
entries) and serving only your own network. If you want to run the
first one yourself you end up running two nameservers in parallel.
That's what I am doing here, btw.

>Which machine would be my primary?  An internal machine would be IP
>masqueraded, and not accessible from the ISP's secondary BIND, and a
>perimeter net machine might be more vulnerable to attack.  Or am I being
>too paranoid on this latter point?

There are ways around both of these problems. Personally I think it's
safe enough to run it on a properly secured perimeter net machine, and
indeed that's what I do. (Of course you'll have to keep up with current
security advisories concerning BIND, but you do that anyway, don't you?)
Alternatively, you can run it on an internal machine and forward requests
to it through your firewall in a variety of ways such as NAT or a slave

>What I meant however,
>was the domain by itself.  e.g. nslookup from outside
>resolves to our gateway machine, but the same from internal gets an
>immediate error.  I've tried A and CNAME records to avail.

In the setup we are discussing, the zones visible from inside your
network and from the outside are completely independent, so it is a
priori not unreasonable for the same query to resolve from outside but
not from inside. Also, the domain itself is in no way special in that
respect. Verify which nameserver the nslookup from the inside actually
uses, then verify that server's configuration. Perhaps you forgot the
trailing dot in your A or CNAME record, thereby unintentionally
creating an entry for

Tilman Schmidt          E-Mail: Tilman.Schmidt at (office)
Sema Group Koeln, Germany       tilman at (private)

More information about the bind-users mailing list