Classified System/Isolated Nameserver

Kevin Darcy kcd at daimlerchrysler.com
Wed Oct 4 22:33:01 UTC 2000


Just set up an internal root zone. This is a very common configuration,
even when the organization is -- like us -- behind proxy firewalls as
opposed to being completely isolated.

You'll need one or (preferably) more nameservers to serve the root zone,
one as master and the rest, if any, as slaves. You could throw your entire
namespace into this root zone, if you want, or, if you want to break it up
into separate zones, just delegate down from the root zone (e.g.
in-addr.arpa, com, mil, whatever) as per normal. Any nameserver which
already has a zone definition for root, e.g. as master or slave, cannot and
does not need to define the root zone as type "hint". But any other servers
which need to resolve names in this namespace should have a hints file
listing the masters and slaves of your internal root zone.

Another tip: if you have only 1 root nameserver, then BIND will probably
complain a lot unless you specify "min-roots 1" in your options clause.


- Kevin

bob wrote:

> We are trying to setup an isolated name server similar to a localnet or
> 192.x.x.x or 10.x.x.x network, yet for certain reasons we need to use
> real IP numbers. They will never see the light of the Internet, however.
> They will run within military simulations. I have been able to setup
> named so that it responds to nslookup when /etc/resolv.conf contains
> nameserver 0.0.0.0. However, when I try to use 129.190.x.x, it fails. I
> removed the references to the root servers file. And set up the zones
> and such in a similar manner to a working server. But it is failing to
> *bind* to the local ethernet ip.
> There must be a way to do this. I have seen references to an RFC that
> deals with localnet/detached DNS systems, but it didn't help me that
> much. Is there any links or resources or tips someone can provide me
> with.
>
> Thanks,
> R. M.






More information about the bind-users mailing list