Setting up DNS; Internet and Intranet questions
Daniel B. Thurman
dant at cdkkt.com
Tue May 27 15:49:02 UTC 2008
Thomas Cameron wrote:
| On Tue, 2008-05-27 at 07:44 -0700, Daniel B. Thurman wrote:
| > I have a setup as follows:
| > 1) ISP->pass-thru-DSL-router->firewall-appliance w/ NAT support
| > 2) NAT->DNS(Internet)
| > Let's assume:
| > a) ISP provided static IP is: 18.104.22.168
| > b) Firewall allows access to DNS port 53
| > c) Intranet addresses are: 10.0.0.x
| > Q1: In setting up a DNS server for Internet,
| > is it required that I setup mydomain.com
| > zone for 111.111.111.x addresses or can I
| > use 10.0.0.x addresses since NAT is involved?
| > What I am trying to understand here, am I required
| > to setup seperate DNS servers, one for Internet
| > (for 111.111.111.x) and one for Intranet (for 10.0.0.x)?
| > The trouble that I am running into is that I am not able
| > to get reverse DNS to work even through I have PTR fields
| > defined but they are of 10.0.0.x addresses and I am not
| > seeing rDNS resolvers.
| Where is your DNS server? Is it behind the firewall?
| Here's what I have:
| *) 1 Linux firewall connected to my ISP (public address) -
| uses iptables
| with SNAT so the internal private network can get to the Internet.
| *) 2 machines inside the firewall running forward and reverse
| DNS, DHCP
| and so on. My internal network is called something like
| "mynet.lan" so
| that it can never get confused with any outside DNS namespace.
| *) All machines inside the firewall look at the internal DNS server so
| that they can resolve correctly. Any lookups for which the DNS server
| is not authoritative gets sent out through the firewall.
| This works flawlessly for me.
What is not clear is, is your DNS setup using your private
IP addresses only - i.e., are you using your static-public
IP addresses or are you using your private IP addresses or
I have a firewall-appliance (SonicWall), so I am trying to
setup things using it and looking for a basic solution.
I tried, for example, using the same "mydomain.com" zone,
adding both public and private ip addresses, which I found
it to be unmanagable, so I decided to drop the public ip
addresses in my "mydomain.com" zone, until I have a clear
understanding of the proper way of setting up for a home-based
DNS server, handling both public and private ip addresses. As
mentioned before, I had assumed that NAT can somehow can handle
public/private ip addresses translation and if so, rDNS should
work assuming that the PTR are properly defined even though
I am using only private IP addresses?
I have seen many different ways in setting up DNS servers,
the traditional way of having two seperate DNS servers,
one for the "outside (Internet)" and a one for the "inside
(Intranet)". The Internet DNS server is usually placed on the
DMZ port of your firewall-appliance, and the Intranet DNS
Server is placed behind the firewall. This seems to be a
waste of hardware, especially for a home based setup where
hardware costs are a little more expensive.
More information about the users