Public DNS with NAT IP

Barry Margolin barmar at alum.mit.edu
Sat Nov 18 09:29:27 UTC 2006


In article <ejkucn$1ia9$1 at sf1.isc.org>,
 "guy cipher" <guy.cipher at gmail.com> wrote:

> Hi Barry,
> Thanks you very much indeed. You are absolutely right, What I notice the
> reverse zone name is reflecting to public IP in the current configuration "
> named.conf" which is
> 
> zone "198.16.1.in-addr.arpa" in {
>     type master;
>     file "named.hosts.rev";

That zone name should have been 1.16.198.in-addr.arpa.

> 
> What I understood from your e-mail that I should have created the reverse
> zone like below:
> 
> zone "172.31.32.in-addr.arpa" in {
>     type master;
>     file "named.hosts2.rev";

That should be 32.31.172.in-addr.arpa.

> 
> Should I delete the "named.hosts.rev? and please tell me again the What will
> be  "A" record  for DNS server zones files. Would it be public IP or private
> IP?

You need *both* reverse zones -- one for inside clients, the other for 
outside clients.  Unless your firewall performs DNS fixups to translate 
private IPs to their corresponding public IPs -- in that case you just 
need the private IPs.

> 
> indigo IN A 203.81.204.10
> 10 IN PTR indigo.xyz.net.
> 
> or
> 
> indigo IN A 172.31.32.5
> 10 IN PTR indigo.xyz.net
> 
> Please advise for the correct  entries in the configuration file.

You need both.  The best way to do this is with views -- inside clients 
get the private A record, outside clients get the public A record.

> 
> Best Regards
> 
> Cipher
> 
> PS I haven't tried it yet, but I will do it soon.
> 
> 
> On 11/17/06, Barry Margolin <barmar at alum.mit.edu> wrote:
> >
> > In article <ejhl5j$192r$1 at sf1.isc.org>,
> > "guy cipher" <guy.cipher at gmail.com> wrote:
> >
> > > Hi,
> > > I'm setuping the BIND 9.3 on Solaris 9 server having private IP address.
> > The
> > > Firewall is doing mapping (NATing) the public IP to the private IP
> > address.
> > > Let's say 198.16.1.4 -> 172.31.31.99.
> > >
> > > The current DNS server is working fine having public IP is working fine.
> > > When I copied all the configuration from current DNS server to another
> > > server having private IP (172.31.31.99).  The configuration is same only
> > the
> > > server IP is private.  The DNS server is not resolving properly the
> > queries
> > > for non-authrorartive server, but it does resolves the all A records
> > defined
> > > in the DNS configuration.
> > >
> > > When I run 'nslookup' it generates meesage "can't find server name for
> > > address 172.31.32.5". It resolves the queries from "127.0.0.1" loopback
> >
> > You should create a reverse DNS zone for your address range to fix that
> > error.  This is a quirk of nslookup -- it requires that the server be
> > able to do a reverse lookup of its own address.
> >
> > > address. Sometimes it generates "No address (A) records available.
> > >
> > > My questions are below:
> > >
> > > Is there any specific configuraton for bind when configure public DNS
> > having
> > > private IP and NAT on firewall.
> > > Should the A record of the DNS server will reflect the "private IP" or
> > > oublic IP.
> >
> > The problem isn't the A record, it's the PTR record.  If you tell
> > nslookup to query 172.31.32.5, it tries to look up this PTR record.
> >
> > Another way to solve this problem is to NOT USE NSLOOKUP.  It's a lousy
> > debugging tool.  Use "dig" for debugging, and "host" for quick-and-dirty
> > lookups.
> >
> > --
> > Barry Margolin, barmar at alum.mit.edu
> > Arlington, MA
> > *** PLEASE post questions in newsgroups, not directly to me ***
> > *** PLEASE don't copy me on replies, I'll read them in the group ***
> >
> >
> >

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***



More information about the bind-users mailing list