DNS resolution to private IP BIND server keeps resolving to public address...??

Thu May 16 22:37:23 UTC 2002

jk74 at att.net wrote:

> OK - here's my issue:
> I needed to setup a DNS server internally. I used BIND on REDHAT 7.2.
> ng ok. This box is behind my firewall and has a private IP, however it
> is also setup to communicate with a public IP out on the web via a
> static NAT map through my firewall.
>
> Because this box is running sendmail and also needs to receive mail
> for a service I have running on there (WREQ help tracking), it's
> registered on the internet as well with my DNS provider so that it can
> receive email properly.
>
> The problem is that now sometimes my PC (private network), instead of
> picking up the private address of that DNS box, it resolves the public
> address instead and then cannot communicate because my firewall
> (Sonicwall) doesn't let internal hosts go out and communicate with a
> public address that is setup to be statically-mapped via NAT back
> through the fireall to an internally addressed box. So, when my PC
> tries to resolve that server it bombs if it uses the public address.
>
> What's strange is that sometimes it resolves the private IP of that
> box and then it works perfectly. I have my primary DNS server set on
> my PC to be that of the internal address of the DNS server. The DNS
> server is also acting as a cache/forwarder so it will go out and
> return lookups for my PC and that is working.
>
> I don't know why sometimes it screws up and starts using the public
> address. I guess perhaps it's getting that from another DNS server and
> that's what is screwing things up.
>
> I have somewhat determined (through various readings, posts, etc) that
> I either need 2 DNS servers, one to cover the outside boxes I intend
> to have and one to cover the internal addresses...or I need something
> called a Split-Horizon DNS setup....something I've read that BIND is
> very tricky with and that perhaps another DNS server might do better
> at.
>
> The other, and last thing I'm sure that could help me would be a local
> hosts file that just points to the private address of that
> server...however I don't want to have to maintain individual hosts
> files on all of my PC's here on my LAN.
>
> I'd appreciate comment and requests for additional information on this
> subject that you might need to help me figure this one out. Thanks.

You haven't really given the necessary details to solve the problem. Is
the problem name in a zone for which your nameserver is master? If so,
then does the name resolve to the internal address or the external
address? Do you have A records for *both* internal and external? If so,
then it's no wonder that your client is getting the wrong address some of
the time, since BIND "round-robin"s by default. You shouldn't be putting
private addresses in the public DNS anyway (assuming by "private" you
mean an RFC 1918 address like 192.168.*.* or 10.*.*.*).

You're probably right that what you need is Split DNS. I'm not sure what
DNS implementation you're thinking of that would do a better job of Split
DNS than BIND. If Red Hat 7.2 comes with BIND 9, then you can use the
"view" mechanism to do what you want.

- Kevin