Dear All,
Is there an simple sample for setup Internal and External DNS ?
Edward,
On Tue, 2007-04-03 at 07:52 +0800, edwardspl@ita.org.mo wrote:
Is there an simple sample for setup Internal and External DNS ?
Something *like* the following sets of examples, but not exactly. Just use it as a starting guide while you read the manual files for the name server.
The filenames are purely my own choice, they're not a standard scheme. And the time periods I've used suit my LAN which has frequent experimental changes, but wouldn't be very appropriate for public use. You'll notice that the zone files have some information that's the same for local and external answers (e.g. they all use example.com), yet there are appropriate variances (e.g. the IP addresses).
Within a named.conf file (as well as what else is there):
------------------- begin sample --------------------- view lan_resolver { match-clients { localhost; }; match-destinations { localhost; }; include "/etc/lan.conf"; include "/etc/rndc.key"; };
view publicnet_resolver { include "/etc/publicnet.conf"; include "/etc/rndc.key"; }; -------------------- end sample -----------------------
This defines seperate locations for configuring the internal and external handling. It could be done in one named.conf file, but some people prefer individual configuration files for the custom bits. The choice is yours, dependent on how you want to manage Fedora updates to the BIND packages. This is the beginning point for what makes a DNS server respond differently to internal or external queries. You may need to change the match-clients parts for both sections to suit yourself. It's fair bet that you *will* have to. Don't ask me how to do that, read the manual, the documentation, or visit their website.
A lan.conf file:
------------------- begin sample --------------------- zone "example.com" { type master; file "lan.example.com.zone"; masters { 192.168.1.2; }; };
zone "1.168.192.in-addr.arpa" { type master; file "lan.1.168.192.in-addr.arpa.zone"; masters { 192.168.1.2; }; }; -------------------- end sample -----------------------
This sets up the files that will be used for answering lan queries, they're separate zone record files than the public answers.
A publicnet.conf file:
------------------- begin sample --------------------- zone "example.com" { type master; file "public.example.com.zone"; masters { 192.168.1.2; }; };
zone "34.0.192.in-addr.arpa" { type master; file "public.34.0.192.in-addr.arpa.zone"; masters { 192.168.1.2; }; }; -------------------- end sample -----------------------
This sets up the files that will be used for answering public queries, they're separate zone record files than the internal answers.
A lan.example.com.zone file:
------------------- begin sample --------------------- $ORIGIN . $TTL 259200 ; 3 days example.com IN SOA ns.example.com. hostmaster.example.com. ( 227 ; serial 300 ; refresh (5 minutes) 900 ; retry (15 minutes) 691200 ; expire (1 week 1 day) 345600 ; minimum (4 days) ) NS ns.example.com. A 192.168.1.2 MX 1 mail.example.com. $ORIGIN example.com. www A 192.168.1.10 ns A 192.168.1.2 -------------------- end sample -----------------------
This is the file that provides IP address answers to local name queries.
A lan.1.168.192.in-addr.arpa.zone file:
------------------- begin sample --------------------- $ORIGIN . $TTL 259200 ; 3 days 1.168.192.in-addr.arpa IN SOA ns.example.com. hostmaster.example.com. ( 608 ; serial 300 ; refresh (5 minutes) 900 ; retry (15 minutes) 691200 ; expire (1 week 1 day) 345600 ; minimum (4 days) ) NS ns.example.com. $ORIGIN 1.168.192.in-addr.arpa. 10 PTR www.example.com. -------------------- end sample -----------------------
This is the file that provides reverse lookups (what names below to a queried IP) for local queries.
A public.example.com.zone file:
------------------- begin sample --------------------- $ORIGIN . $TTL 259200 ; 3 days example.com IN SOA ns.example.com. hostmaster.example.com. ( 227 ; serial 300 ; refresh (5 minutes) 900 ; retry (15 minutes) 691200 ; expire (1 week 1 day) 345600 ; minimum (4 days) ) NS ns.example.com. A 192.0.34.43 MX 1 mail.example.com. $ORIGIN example.com. www A 192.0.34.166 ns A 192.0.34.43 -------------------- end sample -----------------------
This is the file that provides IP address answers to external name queries.
A public.34.0.192.in-addr.arpa.zone file:
------------------- begin sample --------------------- $ORIGIN . $TTL 259200 ; 3 days 34.0.192.in-addr.arpa IN SOA ns.example.com. hostmaster.example.com. ( 608 ; serial 300 ; refresh (5 minutes) 900 ; retry (15 minutes) 691200 ; expire (1 week 1 day) 345600 ; minimum (4 days) ) NS ns.example.com. $ORIGIN 34.0.192.in-addr.arpa. 166 PTR www.example.com. -------------------- end sample -----------------------
This is the file that provides reverse lookups (what names below to a queried IP) for external queries.
I worked this all out from reading the manuals. If you can't do this for yourself, it's time to start paying someone to help you. I've spent the last hour, or so, copying and pasting things from my name servers, and removing the extraneous and private data.
Dear Tim,
Is it need to Use TSIG to select the appropriate view ?
Tim wrote:
On Tue, 2007-04-03 at 07:52 +0800, edwardspl@ita.org.mo wrote:
Is there an simple sample for setup Internal and External DNS ?
Something *like* the following sets of examples, but not exactly. Just use it as a starting guide while you read the manual files for the name server.
The filenames are purely my own choice, they're not a standard scheme. And the time periods I've used suit my LAN which has frequent experimental changes, but wouldn't be very appropriate for public use. You'll notice that the zone files have some information that's the same for local and external answers (e.g. they all use example.com), yet there are appropriate variances (e.g. the IP addresses).
Within a named.conf file (as well as what else is there):
------------------- begin sample --------------------- view lan_resolver { match-clients { localhost; }; match-destinations { localhost; }; include "/etc/lan.conf"; include "/etc/rndc.key"; };
view publicnet_resolver { include "/etc/publicnet.conf"; include "/etc/rndc.key"; }; -------------------- end sample -----------------------
This defines seperate locations for configuring the internal and external handling. It could be done in one named.conf file, but some people prefer individual configuration files for the custom bits. The choice is yours, dependent on how you want to manage Fedora updates to the BIND packages. This is the beginning point for what makes a DNS server respond differently to internal or external queries. You may need to change the match-clients parts for both sections to suit yourself. It's fair bet that you *will* have to. Don't ask me how to do that, read the manual, the documentation, or visit their website.
A lan.conf file:
------------------- begin sample --------------------- zone "example.com" { type master; file "lan.example.com.zone"; masters { 192.168.1.2; }; };
zone "1.168.192.in-addr.arpa" { type master; file "lan.1.168.192.in-addr.arpa.zone"; masters { 192.168.1.2; }; }; -------------------- end sample -----------------------
This sets up the files that will be used for answering lan queries, they're separate zone record files than the public answers.
A publicnet.conf file:
------------------- begin sample --------------------- zone "example.com" { type master; file "public.example.com.zone"; masters { 192.168.1.2; }; };
zone "34.0.192.in-addr.arpa" { type master; file "public.34.0.192.in-addr.arpa.zone"; masters { 192.168.1.2; }; }; -------------------- end sample -----------------------
This sets up the files that will be used for answering public queries, they're separate zone record files than the internal answers.
A lan.example.com.zone file:
------------------- begin sample --------------------- $ORIGIN . $TTL 259200 ; 3 days example.com IN SOA ns.example.com. hostmaster.example.com. ( 227 ; serial 300 ; refresh (5 minutes) 900 ; retry (15 minutes) 691200 ; expire (1 week 1 day) 345600 ; minimum (4 days) ) NS ns.example.com. A 192.168.1.2 MX 1 mail.example.com. $ORIGIN example.com. www A 192.168.1.10 ns A 192.168.1.2 -------------------- end sample -----------------------
This is the file that provides IP address answers to local name queries.
A lan.1.168.192.in-addr.arpa.zone file:
------------------- begin sample --------------------- $ORIGIN . $TTL 259200 ; 3 days 1.168.192.in-addr.arpa IN SOA ns.example.com. hostmaster.example.com. ( 608 ; serial 300 ; refresh (5 minutes) 900 ; retry (15 minutes) 691200 ; expire (1 week 1 day) 345600 ; minimum (4 days) ) NS ns.example.com. $ORIGIN 1.168.192.in-addr.arpa. 10 PTR www.example.com. -------------------- end sample -----------------------
This is the file that provides reverse lookups (what names below to a queried IP) for local queries.
A public.example.com.zone file:
------------------- begin sample --------------------- $ORIGIN . $TTL 259200 ; 3 days example.com IN SOA ns.example.com. hostmaster.example.com. ( 227 ; serial 300 ; refresh (5 minutes) 900 ; retry (15 minutes) 691200 ; expire (1 week 1 day) 345600 ; minimum (4 days) ) NS ns.example.com. A 192.0.34.43 MX 1 mail.example.com. $ORIGIN example.com. www A 192.0.34.166 ns A 192.0.34.43 -------------------- end sample -----------------------
This is the file that provides IP address answers to external name queries.
A public.34.0.192.in-addr.arpa.zone file:
------------------- begin sample --------------------- $ORIGIN . $TTL 259200 ; 3 days 34.0.192.in-addr.arpa IN SOA ns.example.com. hostmaster.example.com. ( 608 ; serial 300 ; refresh (5 minutes) 900 ; retry (15 minutes) 691200 ; expire (1 week 1 day) 345600 ; minimum (4 days) ) NS ns.example.com. $ORIGIN 34.0.192.in-addr.arpa. 166 PTR www.example.com. -------------------- end sample -----------------------
This is the file that provides reverse lookups (what names below to a queried IP) for external queries.
I worked this all out from reading the manuals. If you can't do this for yourself, it's time to start paying someone to help you. I've spent the last hour, or so, copying and pasting things from my name servers, and removing the extraneous and private data.
On Fri, 2007-04-06 at 13:46 +0800, edwardspl@ita.org.mo wrote:
Is it need to Use TSIG to select the appropriate view ?
I don't believe so. But what do you mean by *selecting* it? If you do a DNS query of your server from a private LAN address, you'll get the results intended for it. If you do a query from an external address you'll get the other results intendeded for them. You won't be able to see the opposite results for your connection.
Hello Tim,
Would you mind to help as the following ?
For view and ( master / salve ) problem... How to config the DNS as the following : 1, Transfer Master Internal Zone file to Salve Internal Zone. 2, Transfer Master External Zone file to Salve External Zone.
PS: Due to the domain_name is the same as Internal / External !
Tim wrote:
On Fri, 2007-04-06 at 13:46 +0800, edwardspl@ita.org.mo wrote:
Is it need to Use TSIG to select the appropriate view ?
I don't believe so. But what do you mean by *selecting* it? If you do a DNS query of your server from a private LAN address, you'll get the results intended for it. If you do a query from an external address you'll get the other results intendeded for them. You won't be able to see the opposite results for your connection.
On Fri, 2007-04-06 at 15:07 +0800, edwardspl@ita.org.mo wrote:
Would you mind to help as the following ?
For view and ( master / salve ) problem... How to config the DNS as the following : 1, Transfer Master Internal Zone file to Salve Internal Zone. 2, Transfer Master External Zone file to Salve External Zone.
Umm, why would you be doing this? You hold DNS records as either a master or a slave, not both. And you can't have a slave server without a master server.
If you're simply changing a previously configured master server over to being a slave server of another master, you change your named config files so the "files" part for those zones are now a slave instead of a master type, you specify a filename with "slaves/" in front of it, and you specify the address for the master server(s). The slave server will fetch the zone records (the zone file) from the master server itself, and you can delete the previous master zone files from this server.
e.g. You'd change something like:
zone "1.168.192.in-addr.arpa" { type master; file "1.168.192.in-addr.arpa.zone"; };
Over to something like:
zone "1.168.192.in-addr.arpa" { type slave; file "slaves/1.168.192.in-addr.arpa.zone"; masters { 192.168.1.2; }; };
But it does sound like you're mixing things up in ways that you shouldn't.
PS: Due to the domain_name is the same as Internal / External !
I don't see how "due" is an appropriate word in that sentence. Of course the domain name is the same, inside and out, if you're using views. That's the point of views.
Hello Tim,
There are two of DNS Server machines ( Mater and Salve ). So, I need to config the DNS ( include the view function and Master / Salve ) as the following ( SURE ) :
1, Transfer Master Internal Zone file to Salve Internal Zone. 2, Transfer Master External Zone file to Salve External Zone.
Do you think may it to do the following :
1, Transfer Master Internal Zone file to Salve External Zone. 2, Transfer Master External Zone file to Salve Internal Zone.
PS : Internal Zone use Private IP ( For Clients ) , External Zone use Public ( For Internet Servers ), right ?
Tim wrote:
On Fri, 2007-04-06 at 15:07 +0800, edwardspl@ita.org.mo wrote:
Would you mind to help as the following ?
For view and ( master / salve ) problem... How to config the DNS as the following : 1, Transfer Master Internal Zone file to Salve Internal Zone. 2, Transfer Master External Zone file to Salve External Zone.
Umm, why would you be doing this? You hold DNS records as either a master or a slave, not both. And you can't have a slave server without a master server.
If you're simply changing a previously configured master server over to being a slave server of another master, you change your named config files so the "files" part for those zones are now a slave instead of a master type, you specify a filename with "slaves/" in front of it, and you specify the address for the master server(s). The slave server will fetch the zone records (the zone file) from the master server itself, and you can delete the previous master zone files from this server.
e.g. You'd change something like:
zone "1.168.192.in-addr.arpa" { type master; file "1.168.192.in-addr.arpa.zone"; };
Over to something like:
zone "1.168.192.in-addr.arpa" { type slave; file "slaves/1.168.192.in-addr.arpa.zone"; masters { 192.168.1.2; }; };
But it does sound like you're mixing things up in ways that you shouldn't.
PS: Due to the domain_name is the same as Internal / External !
I don't see how "due" is an appropriate word in that sentence. Of course the domain name is the same, inside and out, if you're using views. That's the point of views.
On Fri, 2007-04-06 at 15:40 +0800, edwardspl@ita.org.mo wrote:
There are two of DNS Server machines ( Mater and Salve ).
I think that if you're setting up slave servers using views, you *might* need to have two slave servers. A slave for the internal view inside the internal network, and a slave for the external view that is actually on the outside network. For what it's worth, I can't see any point for having a slave server for an external query *inside* the LAN, and vice versa - it couldn't be queried.
There's definitely no point in having an internal slave of the external master, and vice versa, they'd be giving you the wrong answers. The slaves wouldn't use views, either. Being inside or outside of the network prevents the opposite from quering it. A server using views is one that sits in the middle. It acts like two independent servers.
A general idea how DNS views would be used:
The internet (with an external DNS slave server somewhere | on it, completely remote from your network) | | External network | | /---+----\ | modem/ | | router | -+-+-+--/ | | | Internal network below here | | | /------------------------\ | | ---------------------------+ router/firewall/switch | | | --+---+---+---+---------/ | | | | | | | | /-------------------\ | | | | | | | Master DNS server | | | | | | | | using views | | | | | /----------\ | | | | | | | | | an | | -----+ ext IP | | | | ---+ internal | | | int IP +-----/ | | | PC | | --------------------/ | | ----------/ | | | | /-------------\ | | /-----------\ | | external | | | | internal | | | slave DNS | | ----+ slave DNS | | | server with | | | server | ----| ext IP | | -----------/ -------------/ | | /----------\ | | internal | ----+ PC | ----------/
Your external DNS servers (master and slave) aren't really a part of your LAN. They're isolated from it as much as possible. The modem/router (whether two separate device, or an all-in-one) manages piping external addresses through to equipment with real external internet public IP addresses or through to internal addresses using NAT (it *needs* to be a configurable device). The DNS server using views, in the middle, provides different IP address answers to the same domain names, depending on which side the query comes from. You might also have the webserver on the same box, responding to connections to it from either side, not really caring which is which.
There's almost no point in having an external slave server within your own network, whichever side of the external/internal border it is. A slave is to provide an alternative machine to answer queries, if your master is inaccessible to the WWW, due to network issues, the slave will be, too. About its only value is testing and education.
NB: "ext" being an abbreviation for "external", likewise with "int" for "internal".
So, I need to config the DNS ( include the view function and Master / Salve ) as the following ( SURE ) : 1, Transfer Master Internal Zone file to Salve Internal Zone. 2, Transfer Master External Zone file to Salve External Zone.
When you set up a slave server, like the example I gave before, it gets the records it needs from its master, and acts as the slave, straight away (well, you do have to restart the slave DNS server, to get it notice the changes to its configuration).
Do you think may it to do the following :
1, Transfer Master Internal Zone file to Salve External Zone. 2, Transfer Master External Zone file to Salve Internal Zone.
You're setting yourself up for a headache...
PS : Internal Zone use Private IP ( For Clients ) , External Zone use Public ( For Internet Servers ), right ?
Yes, that's how views work.
edwardspl@ita.org.mo wrote:
Hello Tim,
Would you mind to help as the following ?
For view and ( master / salve ) problem... How to config the DNS as the following : 1, Transfer Master Internal Zone file to Salve Internal Zone. 2, Transfer Master External Zone file to Salve External Zone.
You may be confusing the roles of master/slave with the registered primary DNS server. The machine configured as 'primary' is the one where you will edit/change the zone values and the one(s) configured as slave(s) will pick these changes up automatically. This arrangement can be done for your convenience and it is not necessary to have a different master for your internal and external views. Pick one as the primary and make all your changes there. Slaves can be used as the external registered servers.
Les Mikesell wrote:
edwardspl@ita.org.mo wrote:
Hello Tim,
Would you mind to help as the following ?
For view and ( master / salve ) problem... How to config the DNS as the following : 1, Transfer Master Internal Zone file to Salve Internal Zone. 2, Transfer Master External Zone file to Salve External Zone.
You may be confusing the roles of master/slave with the registered primary DNS server. The machine configured as 'primary' is the one where you will edit/change the zone values and the one(s) configured as slave(s) will pick these changes up automatically. This arrangement can be done for your convenience and it is not necessary to have a different master for your internal and external views. Pick one as the primary and make all your changes there. Slaves can be used as the external registered servers.
Hello to you,
Would you mind give me an sample for the reference ?
Edward.
Hello Tim,
For view and ( master / salve ) problem... How to config the DNS as the following : 1, Transfer Master Internal Zone file to Salve Internal Zone. 2, Transfer Master External Zone file to Salve External Zone.
PS: Due to the domain_name is the same as Internal / External !
Edward.
Tim wrote:
On Tue, 2007-04-03 at 07:52 +0800, edwardspl@ita.org.mo wrote:
Is there an simple sample for setup Internal and External DNS ?
Something *like* the following sets of examples, but not exactly. Just use it as a starting guide while you read the manual files for the name server.
The filenames are purely my own choice, they're not a standard scheme. And the time periods I've used suit my LAN which has frequent experimental changes, but wouldn't be very appropriate for public use. You'll notice that the zone files have some information that's the same for local and external answers (e.g. they all use example.com), yet there are appropriate variances (e.g. the IP addresses).
Within a named.conf file (as well as what else is there):
------------------- begin sample --------------------- view lan_resolver { match-clients { localhost; }; match-destinations { localhost; }; include "/etc/lan.conf"; include "/etc/rndc.key"; };
view publicnet_resolver { include "/etc/publicnet.conf"; include "/etc/rndc.key"; }; -------------------- end sample -----------------------
This defines seperate locations for configuring the internal and external handling. It could be done in one named.conf file, but some people prefer individual configuration files for the custom bits. The choice is yours, dependent on how you want to manage Fedora updates to the BIND packages. This is the beginning point for what makes a DNS server respond differently to internal or external queries. You may need to change the match-clients parts for both sections to suit yourself. It's fair bet that you *will* have to. Don't ask me how to do that, read the manual, the documentation, or visit their website.
A lan.conf file:
------------------- begin sample --------------------- zone "example.com" { type master; file "lan.example.com.zone"; masters { 192.168.1.2; }; };
zone "1.168.192.in-addr.arpa" { type master; file "lan.1.168.192.in-addr.arpa.zone"; masters { 192.168.1.2; }; }; -------------------- end sample -----------------------
This sets up the files that will be used for answering lan queries, they're separate zone record files than the public answers.
A publicnet.conf file:
------------------- begin sample --------------------- zone "example.com" { type master; file "public.example.com.zone"; masters { 192.168.1.2; }; };
zone "34.0.192.in-addr.arpa" { type master; file "public.34.0.192.in-addr.arpa.zone"; masters { 192.168.1.2; }; }; -------------------- end sample -----------------------
This sets up the files that will be used for answering public queries, they're separate zone record files than the internal answers.
A lan.example.com.zone file:
------------------- begin sample --------------------- $ORIGIN . $TTL 259200 ; 3 days example.com IN SOA ns.example.com. hostmaster.example.com. ( 227 ; serial 300 ; refresh (5 minutes) 900 ; retry (15 minutes) 691200 ; expire (1 week 1 day) 345600 ; minimum (4 days) ) NS ns.example.com. A 192.168.1.2 MX 1 mail.example.com. $ORIGIN example.com. www A 192.168.1.10 ns A 192.168.1.2 -------------------- end sample -----------------------
This is the file that provides IP address answers to local name queries.
A lan.1.168.192.in-addr.arpa.zone file:
------------------- begin sample --------------------- $ORIGIN . $TTL 259200 ; 3 days 1.168.192.in-addr.arpa IN SOA ns.example.com. hostmaster.example.com. ( 608 ; serial 300 ; refresh (5 minutes) 900 ; retry (15 minutes) 691200 ; expire (1 week 1 day) 345600 ; minimum (4 days) ) NS ns.example.com. $ORIGIN 1.168.192.in-addr.arpa. 10 PTR www.example.com. -------------------- end sample -----------------------
This is the file that provides reverse lookups (what names below to a queried IP) for local queries.
A public.example.com.zone file:
------------------- begin sample --------------------- $ORIGIN . $TTL 259200 ; 3 days example.com IN SOA ns.example.com. hostmaster.example.com. ( 227 ; serial 300 ; refresh (5 minutes) 900 ; retry (15 minutes) 691200 ; expire (1 week 1 day) 345600 ; minimum (4 days) ) NS ns.example.com. A 192.0.34.43 MX 1 mail.example.com. $ORIGIN example.com. www A 192.0.34.166 ns A 192.0.34.43 -------------------- end sample -----------------------
This is the file that provides IP address answers to external name queries.
A public.34.0.192.in-addr.arpa.zone file:
------------------- begin sample --------------------- $ORIGIN . $TTL 259200 ; 3 days 34.0.192.in-addr.arpa IN SOA ns.example.com. hostmaster.example.com. ( 608 ; serial 300 ; refresh (5 minutes) 900 ; retry (15 minutes) 691200 ; expire (1 week 1 day) 345600 ; minimum (4 days) ) NS ns.example.com. $ORIGIN 34.0.192.in-addr.arpa. 166 PTR www.example.com. -------------------- end sample -----------------------
This is the file that provides reverse lookups (what names below to a queried IP) for external queries.
I worked this all out from reading the manuals. If you can't do this for yourself, it's time to start paying someone to help you. I've spent the last hour, or so, copying and pasting things from my name servers, and removing the extraneous and private data.
-
Edward S.P. Leong -
Les Mikesell -
Tim