BIND behind NAT
Simon Waters
Simon at wretched.demon.co.uk
Fri Aug 3 21:33:13 UTC 2001
George Zaroubi wrote:
>
> Thanks for the informative response, I am using static NAT for the DNS/ Mail
> Servers. I had already tumbled to that CISCO document - what a nightmare!
> Isn't there something much more simple?
It only applies to the dynamic NAT, and I wrote the web page
because whilst the CISCO document is accurate it is also very
heavy. The main thing is you aren't doing this AFAICT.
> I am using 20 clients with Private Ips - have a range of 16 addresses (real)
> and am using NAT on the Cisco for the possibility of future growth. I don't
> have a DMZ and would like to service both the outside world and the local
> clients with this DNS server?
No DMZ - hmm, my lets sell him security consulting bells are
ringing *8-)
> Do I have to create two instance of BIND running? What configuration files
> would I need?
You definitely don't need two instances of BIND, but it may be
easier and more secure that way.
Personally I'm a big fan of shipping your external DNS to your
ISP. They typically have people who do it day in, day out, and
appropriate redundant servers, and it saves you bandwidth (Just
a little).
A typical config maybe something like...
Consider one BIND instance serving the external requests, that
just serves data, and gets secondaried by your other Internet
sited DNS servers, if you must manage this bit yourself.
Use another (pair) of BIND instances that don't answer requests
from the Internet to serve the internal versions of these names,
and to query the Internet for your servers.
--
Are you using the Internet to best effect ? www.eighth-layer.com
Tel: +44(0)1395 232769 ICQ: 116952768
Moderated discussion of teleworking at news:uk.business.telework
More information about the bind-users
mailing list