Basic tips and hints.

Barry Margolin barmar at alum.mit.edu
Thu Sep 21 04:25:08 UTC 2006


In article <eeqqks$1a27$1 at sf1.isc.org>,
 Anders Norrbring <lists at norrbring.se> wrote:

> Hiya all!
> First, I'm really new to bind, so please bear with me on this..
> 
> I'm looking at setting up a local DNS for our networks. It should only 
> resolve the local network hosts.
> 
> I make use of external DNS servers to resolv our domain and MX records, 
> so this new server should only act as a caching DNS, and serve the local 
> IPs to the clients "inside" our firewalls.

You're contradicting yourself.  If it serves the local IPs, then it's 
not *only* acting as a caching server.

> Of course, I could enter local IP addresses in the external DNS, but it 
> somehow doesn't "feel right" to serve IPs like 192.168.x.x to the world..

You're right, it's generally frowned upon.

Just set up a DNS server on your local network.  Make it authoritative 
for a zone like private.yourdomain.se, and put all the private hostnames 
in that subdomain.  If you don't like the idea of using a subdomain for 
the private stuff, you could just make it authoritative for 
yourdomain.se, but then you'll need to duplicate all the records that 
are in the public version of your domain.

On your Internet router or firewall, block inbound traffic to port 53, 
since no one outside needs to be able to query the internal server.  
Alternatively, you could use the allow-query option in the server's 
named.conf, but this is more overhead that's not really needed in this 
case; better to stop the traffic at the border on a device dedicated to 
securing your network.

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***



More information about the bind-users mailing list