Master ns on internal lan

Sun Mar 20 10:13:29 UTC 2011

Hi,

I'm trying to figure out how to configure my nameservers so that the
master can reside on an internal LAN *only* address.

I already have it configured such that the master is (almost) hidden
while residing on a public IP.  So I should present that first:

ns0.mydomain.net - Gateway/firewall, public IP (ADSL) + internal LAN.

ns1.mydomain.net - Public nameserver.

ns2.mydomain.net - Public nameserver.

Host ns0 serves DNS for the internal LAN, as well as acting master for
ns1/ns2.

I have glue records at the registry for ns1 & ns2.  The zone file
configured on ns0 looks something like this:

@ IN SOA ns0 hostmaster (
...
)
@       IN NS   ns1
@       IN NS   ns2
ns0     IN A    aaa.aaa.aaa.aaa ;; ns0 (hidden)
ns1     IN A    bbb.bbb.bbb.bbb ;; ns1
ns2     IN A    ccc.ccc.ccc.ccc ;; ns2
...

On the master (ns0) named.conf is as follows:

options {
        listen-on       { any; };
        allow-recursion { 127.0.0.1; lan; };
        allow-query     { 127.0.0.1; lan; };
        allow-transfer  { 127.0.0.1; ns1; ns2; };
	...
};
zone "mydomain.net" {
        type master;
        file "/etc/bind/db.mydomain.net";
        allow-query { any; };
};

On the slaves (ns1/ns2) named.conf is as follows:

zone "mydomain.net" {
        type slave;
        file "/var/cache/bind/db.mydomain.net";
        masters { aaa.aaa.aaa.aaa; };
        allow-query { any; };
};

As you can see, ns0 isn't quite totally hidden - it shows up in the
SOA record.  I tried using ns1 in the SOA but then ns1/ns2 failed to
update correctly when the zone file was updated on ns0.  I never
figured that out and don't see it as a big deal from a privacy POV but
I accept that probably it's not optimally configured.

Now on to my question. ;-)

Ideally I would like to manage the zones on a main internal server,
which would serve the internal LAN (including an internal-only zone)
as well as somehow keeping the public slaves up to date.  Part reason
for this is a policy to shift all internal services onto the LAN and
away from the DMZ.

This is the plan:

main.mydomain.net - Internal LAN only.

ns0.mydomain.net - Gateway/firewall, public IP (ADSL) + internal LAN.

ns1.mydomain.net - Public nameserver.

ns2.mydomain.net - Public nameserver.

main acts as master for ns0 slave. (and serves dns for the lan)

ns0 acts as master for ns1/ns2 slaves. (and serves dns for the dmz)

This is the problem, I cannot see how to configure the SOA and conf
files such that zone updates will be notified main -> ns0 -> ns1/ns2.

Any advice or pointers on how to acheive that would be greatly
appreciated.  Thanks in advance. - Charlie.