Internal bind server questions...

Kevin Darcy kcd at daimlerchrysler.com
Wed Dec 19 03:44:09 UTC 2001


jblow wrote:

> I (sort of...) know how to configure bind(8) to work as an external dns
> server...  but I would like to know what I have to set to accomplish the
> following for an internal (192.168.x.x/255.255.0.0) network: (if they in
> fact can all be accomplished...)
>
> (assume this dns server is 192.168.0.1)
>
> - have the server resolve all domains that it does not know (have config
> files for...)  i.e. www.google.com, etc, so that on the internal
> network, we can point our dns entries to 192.168.0.1 and need nothing
> else...

Sure, this is possible. If your nameservers have Internet connectivity
(e.g. through a stateful-inspection firewall), just use a hints file
listing the Internet root nameservers. If the internal nameservers don't
have Internet connectivity (e.g. they're behind a proxy-type firewall),
then you'll have to forward to some other servers with better connectivity,
possibly to nameservers running on the firewalls themselves. Note that
whenever you are using forwarding to get around a connectivity issue, you
should use "forward only" mode instead of "forward first" mode. Since
"forward first" is the default mode, you need to specify "forward
only" explicitly.

> - resolve all internal domains for web sites hosted internally in the
> network... i.e. dev.newdomain.com -> 192.168.0.10 (which has an entry
> for an Apache virtual host)  This is needed since the "real" dns entries
> for newdomain.com are handled by ns.company.com, and they point to our
> outside ip and are forwarded to 192.168.0.10, so that from the outside
> you can go to dev.newdomain.com and we can also get there from the
> inside...

Yes, just set up zone files with internal addresses in them. Note however,
that you'll have to maintain at least some of the information in parallel.

> This is currently accomplished with hosts files, but the number has
> grown too large and changes frequently, so I would like to centralize
> the information...
>
> - If the above is possible, is it _also_ possible to resolve on the
> 192.168.0.1 internal dns server newdev.newdomain.com ONLY, and all other
> dns queries for that domain that are not in the 192.168.0.1 domain files
> get forwarded to the outside dns servers, i.e. so that we don't have to
> pull down the "real" zone files for the internal queries, but can add
> internal zone records...

Um, not really. There is no "forward if not found" functionality in BIND.
Resource records are grouped together by zone, and that's about as much
granularity as you can get, in terms of whether a query is answered locally
or forwarded somewhere else. So, unless you defined every name in your
domain in a separate zone, you can't get this functionality, and defining
every name as a separate zone is probably more of a maintenance headache
than the hosts files you're using now.

What folks normally end up doing is maintaining the internal and external
zone data in parallel.

By the way, if you want to cut down on the number of servers you need to
dedicate to serving DNS, you could look at the "view" feature of BIND 9.
Basically, it allows a single BIND instance to answer the same query from
different zone data, depending on who is doing the asking. So a single
nameserver might answer internal clients with internal addresses and
external clients with external addresses. In theory, by playing games with
$INCLUDE files, you could also use the "view" feature to help reduce the
aforementioned double maintenance of internal-vs-external zone data (just
put the shared records in a file that is $INCLUDE'd into both the internal
and external versions of the zone.


- Kevin





More information about the bind-users mailing list