Master ns on internal lan
x_bind-users_x at nospam.pz.podzone.net
x_bind-users_x at nospam.pz.podzone.net
Sun Mar 20 10:13:29 UTC 2011
Hi,
I'm trying to figure out how to configure my nameservers so that the
master can reside on an internal LAN *only* address.
I already have it configured such that the master is (almost) hidden
while residing on a public IP. So I should present that first:
ns0.mydomain.net - Gateway/firewall, public IP (ADSL) + internal LAN.
ns1.mydomain.net - Public nameserver.
ns2.mydomain.net - Public nameserver.
Host ns0 serves DNS for the internal LAN, as well as acting master for
ns1/ns2.
I have glue records at the registry for ns1 & ns2. The zone file
configured on ns0 looks something like this:
@ IN SOA ns0 hostmaster (
...
)
@ IN NS ns1
@ IN NS ns2
ns0 IN A aaa.aaa.aaa.aaa ;; ns0 (hidden)
ns1 IN A bbb.bbb.bbb.bbb ;; ns1
ns2 IN A ccc.ccc.ccc.ccc ;; ns2
...
On the master (ns0) named.conf is as follows:
options {
listen-on { any; };
allow-recursion { 127.0.0.1; lan; };
allow-query { 127.0.0.1; lan; };
allow-transfer { 127.0.0.1; ns1; ns2; };
...
};
zone "mydomain.net" {
type master;
file "/etc/bind/db.mydomain.net";
allow-query { any; };
};
On the slaves (ns1/ns2) named.conf is as follows:
zone "mydomain.net" {
type slave;
file "/var/cache/bind/db.mydomain.net";
masters { aaa.aaa.aaa.aaa; };
allow-query { any; };
};
As you can see, ns0 isn't quite totally hidden - it shows up in the
SOA record. I tried using ns1 in the SOA but then ns1/ns2 failed to
update correctly when the zone file was updated on ns0. I never
figured that out and don't see it as a big deal from a privacy POV but
I accept that probably it's not optimally configured.
Now on to my question. ;-)
Ideally I would like to manage the zones on a main internal server,
which would serve the internal LAN (including an internal-only zone)
as well as somehow keeping the public slaves up to date. Part reason
for this is a policy to shift all internal services onto the LAN and
away from the DMZ.
This is the plan:
main.mydomain.net - Internal LAN only.
ns0.mydomain.net - Gateway/firewall, public IP (ADSL) + internal LAN.
ns1.mydomain.net - Public nameserver.
ns2.mydomain.net - Public nameserver.
main acts as master for ns0 slave. (and serves dns for the lan)
ns0 acts as master for ns1/ns2 slaves. (and serves dns for the dmz)
This is the problem, I cannot see how to configure the SOA and conf
files such that zone updates will be notified main -> ns0 -> ns1/ns2.
Any advice or pointers on how to acheive that would be greatly
appreciated. Thanks in advance. - Charlie.
More information about the bind-users
mailing list