New DNS setup

Wed Apr 4 20:58:23 UTC 2001

"view"s don't really apply when the external version of your zone is hosted on
a totally separate box in a separate location, than where the internal version
of your zone is hosted.

- Kevin

GBPAP018 wrote:

> Isn't this also covered by the view option in Bind9.1.1 ?
>
> A
>
> "Kevin Darcy" <kcd at daimlerchrysler.com> wrote in message
> news:9ads1h$n2s at pub3.rc.vix.com...
> >
> > Matthew P. Marino wrote:
> >
> > > I've done this. I run BIND9 as a master for the zone. I use my ISP's
> name erver
> > > as a "forwarder". I **DON'T** have the name servers registered with my
> ISP. That
> > > makes them authoratative for my zone as far as the internet is concerned
> so no
> > > queries from the internet get passed on. I also have a firewall that
> doesn't
> > > allow port 53 to flow past it from wan to lan.
> >
> > (You could set an allow-query in the nameserver instead of, or in addition
> to, your
> > firewall rule).
> >
> > > On the LAN my server thinks it's
> > > authoratative for the zone so it doesn't send user requests out unless
> it's
> > > someone elses stuff.
> > >
> > >   Most books(like Cricket's) won't outline that type of scenario because
> it's
> > > actualy "broken".
> >
> > Huh? What you're describing is covered in the "DNS and Internet Firewalls"
> section
> > of 3rd Edition, Chapter 15, and the sample 4th Edition chapter at
> > http://www.oreilly.com/catalog/dns4/chapter/ch11.html. There's nothing
> > "broken" about it. It's actually quite a common configuration. The only
> thing
> > you're doing slightly differently from the "shadow namespace" or -- as
> it's called
> > in 4th Edition -- "split namespace" diagram is that the master for the
> external
> > version of your domain is your ISP's nameserver instead of a box in your
> "perimeter
> > network". That's just a slight variation, and also I believe quite common.
> >
> > > You can't use real internet IP's or you'll have to have an
> > > in-addr.arpa zone for a class "C" subnet that you don't own.
> >
> > You could always use "private" addresses. See RFC 1918. Those are
> unroutable on the
> > Internet (in theory, at least) and you don't need to worry about having
> > "stolen" someone else's legitimate address range for your internal use.
> Just make
> > sure to define the appropriate reverse zone(s), e.g. 168.192.in-addr.arpa,
> > otherwise your reverse lookups may leak out onto the Internet and annoy
> Bill
> > Manning :-)
> >
> >
> > - Kevin
> >
> > > Adam Lang wrote:
> > > >
> > > > I've been reading through Mr. Langfeldt's DNS book and have a few
> questions.
> > > >
> > > > I'm a company with about 100 people.  I have a dedicated ISP with
> PSINet.
> > > >
> > > > I am going to setup DDNS and DHCP internally.
> > > >
> > > > I want PSINet to host the master server to handle public accessible IP
> > > > addresses.  I want another server internally that will be used as a
> cache
> > > > and a DDNS and have the private IPs of the network.
> > > >
> > > > The server that I want to setup, what exactly is it called?  Is it a
> slave
> > > > server?
> > > > Are there problems with what I'm planning on setting up?
> > > > Any input/comments will be appreciated.
> > > >
> > > > Adam Lang
> > > > Systems Engineer
> > > > Rutgers Casualty Insurance Company
> > > > http://www.rutgersinsurance.com
> >
> >
> >
> >
> >