seeking: "private network" vs. DNS convention

[Michael Kjorling]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Jul 25 2001 17:41 -0500, Dan St.André wrote:

>     What are the conventions for DNS names for the hosts of a "private
> network"?  I do not have a registered domain -- don't need one -- but I
> used
> sendmail inside my firewall and it seems to require a DNS.  I don't want
> to edit /etc/host
> files around my lan.
>
> QUESTION:  When I create a host, say "goofey" on this private network,
> say "192.168.10.0", what do I tell my DNS?

goofey A 192.168.10.0

But that address might not work as the 192.168 block is a set of 256
contagious class C networks so you should be using a netmask of
255.255.255.0. However, this does not affect DNS at all unless that is
the host on which you run the DNS server itself, and then it is not
because of anything DNS-related.


> QUESTION:  I can create a bogus domain, say "myplace.lan" and configure
> all of the parts.  My insider hosts can then refer to
> "goofey.myplace.lan".   This mostly works, but is this "the right thing
> to do"?  Is there some other convention?

I know of several enterprises that has done it this way. I do it this
way on my LAN, using one internal domain which does not resolve on the
Internet (it is only available in the internal DNS view even, so
anyone trying to ask my servers about it get a NOERROR response
pointing them at the root servers).

Of course, since I do need external connectivity as well, I also have
an external zone for both forward and reverse DNS (RFC 2317). Heck, I
probably have 30-40 or so forward domains configured on my DNS servers
(a quick grep -c tells me there are 30 _publicly accessible_ zones,
plus that I have some stealth slaves that are not available to the
outside world), and I am in the process of setting up a slave for who
knows how many more.


> QUESTION:  Are there other RFC's or HOWTO's that specifically address
> this situation in whole or in part?

None that I am aware of, except for the standard DNS RFCs of course.
Setting up an internal DNS really isn't any different from setting up
a public DNS; normally, you'd just use IPs from the RFC 1918 (is that
the same as 1597? It specifies the same ranges as far as I can tell)
spans instead of any globally unique span assigned to you by a
registry, and perhaps disallow outside queries in one way or another.
(I'm using views - your mileage may vary.)


>     I have a lan and a hub.  I follow the rules and use an RFC 1597
> private network for my IP addresses.  I have a caching BIND-8 DNS
> running on my gateway/firewall box.
>
> Thanks in advance,
> ~~~ Dan 0;-D

Really, a firewall should only be doing firewalling and nothing else,
especially if it is exposted to a "hostile" network like the Internet.
I have my experience in what can happen when a firewalling box starts
taking too many duties - and those are not pleasant ones.

That set aside I cannot see what could go wrong with your setup. DNS
just resolves names to addresses and special names to ordinary names
(the in-addr.arpa and ip6.int zones and wherever those may point with
CNAMEs are the standard reverse zones, but of course you can perform
an explicit PTR query anywhere in the DNS) - it does not care what
those happen to resolve to as long as the zone files are syntactically
correct.


Michael Kjörling

- -- 
Michael Kjörling - michael at kjorling.com - PGP: 8A70E33E
Manager Wolf.COM -- Programmer -- Network Administrator
"We must be the change we wish to see" (Mahatma Gandhi)

^..^     Support the wolves in Norway -- go to     ^..^
 \/   http://home.no.net/ulvelist/protest_int.htm   \/

***** Please only send me emails which concern me *****

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For my PGP key: http://michael.kjorling.com/contact/pgp.html

iD8DBQE7k/ZqKqN7/Ypw4z4RAmIdAKDFPF9h2urCON9JJy5vP0wdGPY9+wCdE9eL
otCsiJz6VJmkO6DMYtsB3O0=
=xLv4
-----END PGP SIGNATURE-----