bind internal domain configuration
Kevin Darcy
kcd at daimlerchrysler.com
Mon Oct 27 23:31:25 UTC 2003
dave wrote:
>Hello,
> I hope this is the correct forum for this question, i believe it is bind
>that is my problem, though i'm almost certain it's a configuration error on
>my part. I've got two domains i'll call them example.com and example.net for
>the purposes of this explanation. These domains are available via www from
>the net, and are hosted on one of my machines, which is on an internal
>network behind a firewall. Now from the net any traffic can get to both
>domains. Before i had this arrangement i had internal dns set up which i
>called my internal domain example.net. When i go to www.example.net it works
>fine, i see that web page and so forth, however when going this is internal,
>to www.example.com or make any actions to my .com domain i get timeouts or
>404 page not found messages. I'm wondering if i have to change my internal
>domain to something different than my two public domains, or if there's
>another solution. I'm using bind9 on my internal dns server if that matters.
>
Is this a NAT'ing firewall? If so, then it sounds like the typical
"firewall can't deal with a port-forwarded request from the inside of
the NAT"-type problem.
Possible solutions:
a) add some additional configuration to your firewall to deal with the
situation, if possible,
b) implement "split DNS" so that your externally-visible site(s) resolve
to their internal addresses when queried by internal clients, thus
bypassing your firewall altogether. You should be able to find plenty of
information on "split DNS" in the mailing-list archives. Since you're
running BIND 9, you may be able to avoid the inconvenience of running a
separate nameserver box, or separate nameserver instance running on a
different interface on the same box, by implementing the "view" feature.
The biggest downside of split DNS, however, is the necessity to maintain
two different versions -- internal versus external -- of your
externally-visible zones. So if I were you, I'd try to solve this
problem in your firewall first before resorting to split DNS...
- Kevin
More information about the bind-users
mailing list