Setting up DNS; Internet and Intranet questions

Daniel B. Thurman dant at
Tue May 27 15:49:02 UTC 2008

Thomas Cameron wrote:
| On Tue, 2008-05-27 at 07:44 -0700, Daniel B. Thurman wrote:
| > I have a setup as follows:
| > 
| > 1) ISP->pass-thru-DSL-router->firewall-appliance w/ NAT support
| > 2) NAT->DNS(Internet)
| > 
| > Let's assume:
| > a) ISP provided static IP is:
| > b) Firewall allows access to DNS port 53
| > c) Intranet addresses are: 10.0.0.x
| > 
| > Q1: In setting up a DNS server for Internet,
| >     is it required that I setup
| >     zone for 111.111.111.x addresses or can I
| >     use 10.0.0.x addresses since NAT is involved?
| > 
| >     What I am trying to understand here, am I required
| >     to setup seperate DNS servers, one for Internet
| >     (for 111.111.111.x) and one for Intranet (for 10.0.0.x)?
| > 
| > The trouble that I am running into is that I am not able
| > to get reverse DNS to work even through I have PTR fields
| > defined but they are of 10.0.0.x addresses and I am not
| > seeing rDNS resolvers.
| Where is your DNS server?  Is it behind the firewall?

| Here's what I have:
| *) 1 Linux firewall connected to my ISP (public address) - 
| uses iptables
| with SNAT so the internal private network can get to the Internet.
| *) 2 machines inside the firewall running forward and reverse 
| and so on.  My internal network is called something like 
| "mynet.lan" so
| that it can never get confused with any outside DNS namespace.
| *) All machines inside the firewall look at the internal DNS server so
| that they can resolve correctly.  Any lookups for which the DNS server
| is not authoritative gets sent out through the firewall.
| This works flawlessly for me.

What is not clear is, is your DNS setup using your private
IP addresses only - i.e., are you using your static-public
IP addresses or are you using your private IP addresses or

I have a firewall-appliance (SonicWall), so I am trying to
setup things using it and looking for a basic solution.

I tried, for example, using the same "" zone,
adding both public and private ip addresses, which I found
it to be unmanagable, so I decided to drop the public ip
addresses in my "" zone, until I have a clear
understanding of the proper way of setting up for a home-based
DNS server, handling both public and private ip addresses. As
mentioned before, I had assumed that NAT can somehow can handle
public/private ip addresses translation and if so, rDNS should
work assuming that the PTR are properly defined even though
I am using only private IP addresses?

I have seen many different ways in setting up DNS servers,
the traditional way of having two seperate DNS servers,
one for the "outside (Internet)" and a one for the "inside
(Intranet)". The Internet DNS server is usually placed on the
DMZ port of your firewall-appliance, and the Intranet DNS
Server is placed behind the firewall. This seems to be a
waste of hardware, especially for a home based setup where
hardware costs are a little more expensive.

Any suggestions?


More information about the users mailing list