Franck63
asked on
how to implement DDNS server on centos 6.4 with bind 9
Hello Experts,
After seeing the attention my previous question was getting I am rethinking my approach to the problem.
Needing help to setup an internal domain tha is a subdomain of a public domain.
I would like the DNS to Dynamic.
I am puzzled by the implementation of the "ns1 / ns2" nameserver.
Does this setup require 2 different servers
Does the server need public ip or can they be private
I am stumped I need these requirements to be met very soon.
See my original post
After seeing the attention my previous question was getting I am rethinking my approach to the problem.
Needing help to setup an internal domain tha is a subdomain of a public domain.
I would like the DNS to Dynamic.
I am puzzled by the implementation of the "ns1 / ns2" nameserver.
Does this setup require 2 different servers
Does the server need public ip or can they be private
I am stumped I need these requirements to be met very soon.
See my original post
ASKER
Hi Chris,
Thank you very much for the help.
Ok yes: (relating your statements)
Since my subdomain is part of an aleady published domain do I still need to go through a registrar
Here is my tentative layout:
Now I've noticed that in your layout you have 2 different privater lan subnet, why?
Does this imply a DMZ or just VLAN
Now refering to RFC2136 Server Setup How-to
My named.conf (should look somewhat like this)
Then my int.mydomain.com (would be )
Once this is validated I will need help for those specific files
Where are the problems
Thanks again
Regards
Franck
Thank you very much for the help.
Ok yes: (relating your statements)
I don't need two server as NS
the server needs to be accessible publicly, of course.
yes my subdomain has to be public (Then, can I have those pertinent records on my DDNS server)
About the public ip being dynamic I think that by implementing this RFC2136 Server Setup How-to I can accomplish it, am I wrong? (I will probably need pfsense then)the server needs to be accessible publicly, of course.
yes my subdomain has to be public (Then, can I have those pertinent records on my DDNS server)
Since my subdomain is part of an aleady published domain do I still need to go through a registrar
Here is my tentative layout:
Now I've noticed that in your layout you have 2 different privater lan subnet, why?
Does this imply a DMZ or just VLAN
Now refering to RFC2136 Server Setup How-to
My named.conf (should look somewhat like this)
include "/etc/namedb/dns.keys.conf<wbr ></wbr><wbr ></wbr>";
zone "int.mydomain.com" {
type master;
file "dynamic/int.mydomain.com"<wbr ></wbr>;<wbr ></wbr>
update-policy { grant *.int.mydomain.com. self int.mydomain.com. A AAAA; };
};
Then my int.mydomain.com (would be )
$ORIGIN .
$TTL 30 ; 30 seconds
int.mydomain.com IN SOA ns.int.mydomain.com. myemail.mydomain.com. (
20131016303 ; serial
3600 ; refresh (1 hour)
600 ; retry (10 minutes)
2600 ; expire (43 minutes 20 seconds)
30 ; minimum (30 seconds)
)
NS ns.int.mydomain.com.
; NS ns2.int.mydomain.com. // not required
Once this is validated I will need help for those specific files
Where are the problems
Thanks again
Regards
Franck
Hey Franck,
RFC 2136 is just fine provided the server hosting mydomain.com supports it. The TLD owner (almost certainly) will not, so whatever hosts mydomain.com needs to be on a fixed IP. int.mydomain.com is flexible and not their problem (only yours :)).
> Since my subdomain is part of an aleady published domain do I still need to go through a registrar
No, not at all. You own mydomain.com, you have free reign over anything beneath that name.
> Now I've noticed that in your layout you have 2 different privater lan subnet, why?
>
> Does this imply a DMZ or just VLAN
Damage / exposure limitation, or just good security practice. If you share a network (VLAN, or however you choose to describe it) with your internal services (AD, etc) you risk those should someone manage to compromise the web server.
Given the development usage you're proposing I'd recommend you isolate that (DMZ is a good enough term) from what needs to run to service the needs of your business. To make that effective you would also need to restrict traffic flow from the web environment to the rest.
Can I ask why you're splitting the int domain? Given that you have free reign it seems like an unnecessary complication which introduces name resolution limitations for anyone using the AD DNS servers. Instead I'd suggest a second sub-domain, using a second arbitrary label so you retain flexibility.
The zone file is fine, but a bit confusing. I would do this:
If this DNS server is to be publicly accessible you need to update both the int.mydomain.com and mydomain.com (Glue) with an A record for the name server.
So when looking at the Setup How-To this entry needs to reference a public IP:
> Server: 192.0.2.5 (Or whatever the new IP is!)
Otherwise no one outside will be able to get at your server.
This also means that you should port forward TCP and UDP 53. TCP is used for zone transfers and if we hit a truncation limit on a normal UDP response, as such, allowing it is quite acceptable.
How are we getting on?
Chris
RFC 2136 is just fine provided the server hosting mydomain.com supports it. The TLD owner (almost certainly) will not, so whatever hosts mydomain.com needs to be on a fixed IP. int.mydomain.com is flexible and not their problem (only yours :)).
> Since my subdomain is part of an aleady published domain do I still need to go through a registrar
No, not at all. You own mydomain.com, you have free reign over anything beneath that name.
> Now I've noticed that in your layout you have 2 different privater lan subnet, why?
>
> Does this imply a DMZ or just VLAN
Damage / exposure limitation, or just good security practice. If you share a network (VLAN, or however you choose to describe it) with your internal services (AD, etc) you risk those should someone manage to compromise the web server.
Given the development usage you're proposing I'd recommend you isolate that (DMZ is a good enough term) from what needs to run to service the needs of your business. To make that effective you would also need to restrict traffic flow from the web environment to the rest.
Can I ask why you're splitting the int domain? Given that you have free reign it seems like an unnecessary complication which introduces name resolution limitations for anyone using the AD DNS servers. Instead I'd suggest a second sub-domain, using a second arbitrary label so you retain flexibility.
The zone file is fine, but a bit confusing. I would do this:
$TTL 30 ; 30 seconds
@ IN SOA ns1 myemail.mydomain.com. (
20131016303 ; serial
3600 ; refresh (1 hour)
600 ; retry (10 minutes)
2419200 ; expire (4 weeks)
30 ; minimum (30 seconds)
)
IN NS ns1
I'm using ns1 because NS is a record type and it just looks confusing to use that as both. That said, it is not illegal so feel free to change back. I've also squashed the Origin statement. The Origin will be inherited from name.conf, the zone name will be appended unless you terminate a name with a period (as you've done with myemail.mydomain.com.). You can override that with an ORIGIN statement later on if appropriate, but it shouldn't be a requirement. @ is shorthand for the origin.If this DNS server is to be publicly accessible you need to update both the int.mydomain.com and mydomain.com (Glue) with an A record for the name server.
So when looking at the Setup How-To this entry needs to reference a public IP:
> Server: 192.0.2.5 (Or whatever the new IP is!)
Otherwise no one outside will be able to get at your server.
This also means that you should port forward TCP and UDP 53. TCP is used for zone transfers and if we hit a truncation limit on a normal UDP response, as such, allowing it is quite acceptable.
How are we getting on?
Chris
Before I forget, while dynamic update may work well for an update for mydomain.com it is likely to fail for int.mydomain.com.
Dynamic update requests are sent to the server advertised in the SOA record. As the address will be invalidated by the process (and therefore unable to receive any kind of dynamic update) you may find you actually want a simple text modification and zone reload to cope with the update to the local zone (int.mydomain.com).
Any use of NAT also complicates a dynamic update request for the int.mydomain.com zone, the SOA will advertise the firewall as the destination, but attempting a loop through the firewall like that will break IP communication.
You can, perhaps, circumvent this problem if the name and internal address for the SOA (int.mydomain.com) is added to the hosts file on the system sending the update. This applies even if that update is going to itself.
Chris
Dynamic update requests are sent to the server advertised in the SOA record. As the address will be invalidated by the process (and therefore unable to receive any kind of dynamic update) you may find you actually want a simple text modification and zone reload to cope with the update to the local zone (int.mydomain.com).
Any use of NAT also complicates a dynamic update request for the int.mydomain.com zone, the SOA will advertise the firewall as the destination, but attempting a loop through the firewall like that will break IP communication.
You can, perhaps, circumvent this problem if the name and internal address for the SOA (int.mydomain.com) is added to the hosts file on the system sending the update. This applies even if that update is going to itself.
Chris
ASKER
Hi Chris,
Thanks again for taking the time to help it is greatly appreciated.
I think were on the right track. (even though I have more question)
(Relating to your post)(Please correct me If I'm wrong)
(Relating to your following post)
P.S. what is the most comprehensive tool for DNS testing and proffing?
Looking forward to your explanations. Thank's again
Best Regards
Franck
Thanks again for taking the time to help it is greatly appreciated.
I think were on the right track. (even though I have more question)
(Relating to your post)(Please correct me If I'm wrong)
In paragraph 1 if I paraphrase, you are telling me it will work since my subdomain is already part of a TLD.
In p2, great I was hoping for this answer.
In p3-4, (unless I misunderstand It is not my intention to have any computer on DMZ I would rather keep everything isolated and port forward what I need.
In p5, To answer your question. I will be providing rdp from AD and other services (but then again they might be through VPN (which would probably make even more sense in regards to your proposition)
In p5 again would your proposition allow me to implement such sub domains as cust1.mydomain.com and so on, while keeping DNS management to its minumum.
In p6, "ns1" I agree (I also prefer clarity and readability). Ok about the ORIGIN statement.
In p7, your statement raises again my minimal management issue! How much will I need to create and maintain DNS records at my public host. I would rather just ad one single A (glue) record.
In p8, about the ip and port forward yes i understand.
In p2, great I was hoping for this answer.
In p3-4, (unless I misunderstand It is not my intention to have any computer on DMZ I would rather keep everything isolated and port forward what I need.
In p5, To answer your question. I will be providing rdp from AD and other services (but then again they might be through VPN (which would probably make even more sense in regards to your proposition)
In p5 again would your proposition allow me to implement such sub domains as cust1.mydomain.com and so on, while keeping DNS management to its minumum.
In p6, "ns1" I agree (I also prefer clarity and readability). Ok about the ORIGIN statement.
In p7, your statement raises again my minimal management issue! How much will I need to create and maintain DNS records at my public host. I would rather just ad one single A (glue) record.
In p8, about the ip and port forward yes i understand.
(Relating to your following post)
Now here I'm a little confused
As to dynamic updates, since my aim is to implement this solution. am I not correct to assume pfsense will be able to update or am I misunderstanding something?
In the pfsense solution both the DNS and RFC2136 client is running on pfsene.
In my setup I would prefer to run the DNS in my linux webserver and adjust the pfsense
RFC2136 client to use the linux DNS. (Does this make sense?
As to dynamic updates, since my aim is to implement this solution. am I not correct to assume pfsense will be able to update or am I misunderstanding something?
In the pfsense solution both the DNS and RFC2136 client is running on pfsene.
In my setup I would prefer to run the DNS in my linux webserver and adjust the pfsense
RFC2136 client to use the linux DNS. (Does this make sense?
So while this solution is progressing I will try to implement a solution !
I will report back my progress and questions
P.S. what is the most comprehensive tool for DNS testing and proffing?
Looking forward to your explanations. Thank's again
Best Regards
Franck
> In paragraph 1 if I paraphrase, you are telling me it will work since my subdomain
> is already part of a TLD.
The Top Level Domain is .com, so if you needed to continually change the IP addresses associated with ns1.mydomain.com (as opposed to the sub-domain) you would need a TLD that supported Dynamic Update. I don't know of any that will.
However, that's not a problem if mydomain.com is quite happily working somewhere.
> In p3-4, (unless I misunderstand It is not my intention to have any computer on DMZ I
> would rather keep everything isolated and port forward what I need.
No problem. I would always isolate one from the other because it is entirely possible to compromise a server through a bug in a web-application (let's, for the sake of argument, say a site is open to SQL injection). Once inside, techniques like DNS tunnelling can be used to create a path back out to allow either data to leave, or a trojan horse to enter.
There's no reason that must happen, but there are risks associated with exposing anything and as long as your comfortable with those all is well. You'd have to go to quite extreme lengths to avoid any kind of risk (in the region of just turning the server off :)).
> cust1.mydomain.com and so on, while
If you're doing it this way you must create a new delegation for each new sub-domain on the parent server (mydomain.com).
An alternative would be to add another label such that you have:
Main public domain: mydomain.com
Delegated sub-domain: dev.mydomain.com
Customer specific name: cust1.dev.mydomain.com
This way you add one delegation for int.mydomain.com (whether you end up using that or another sub-domain). Everything else is done on your internal DNS server, the server hosting int.mydomain.com.
Alternatively CNAME records may be used:
cust1.mydomain.com. IN CNAME dev1.int.mydomain.com.
You'd be visiting mydomain.com to create each CNAME, but you only have one record to maintain beyond initial set-up.
Hopefully those options make sense.
Okay, let's take a deeper look at our DNS update requirements. We have two domains which need a record update. We'll address those by following the hierarchy:
mydomain.com
pfsense can send an update here as long as mydomain.com supports that. However, we need to change *something* here to have a delegation from this zone to a DNS server on a dynamic range.
Now we have the int zone, as a sub-domain of mydomain.com:
pfsense will have trouble updating the int zone. But we don't necessarily need to do anything there anyway if we use CNAME records referencing the A record in the parent zone.
Hopefully I haven't managed to contradict myself :)
Cheers,
Chris
> is already part of a TLD.
The Top Level Domain is .com, so if you needed to continually change the IP addresses associated with ns1.mydomain.com (as opposed to the sub-domain) you would need a TLD that supported Dynamic Update. I don't know of any that will.
However, that's not a problem if mydomain.com is quite happily working somewhere.
> In p3-4, (unless I misunderstand It is not my intention to have any computer on DMZ I
> would rather keep everything isolated and port forward what I need.
No problem. I would always isolate one from the other because it is entirely possible to compromise a server through a bug in a web-application (let's, for the sake of argument, say a site is open to SQL injection). Once inside, techniques like DNS tunnelling can be used to create a path back out to allow either data to leave, or a trojan horse to enter.
There's no reason that must happen, but there are risks associated with exposing anything and as long as your comfortable with those all is well. You'd have to go to quite extreme lengths to avoid any kind of risk (in the region of just turning the server off :)).
> cust1.mydomain.com and so on, while
If you're doing it this way you must create a new delegation for each new sub-domain on the parent server (mydomain.com).
An alternative would be to add another label such that you have:
Main public domain: mydomain.com
Delegated sub-domain: dev.mydomain.com
Customer specific name: cust1.dev.mydomain.com
This way you add one delegation for int.mydomain.com (whether you end up using that or another sub-domain). Everything else is done on your internal DNS server, the server hosting int.mydomain.com.
Alternatively CNAME records may be used:
cust1.mydomain.com. IN CNAME dev1.int.mydomain.com.
You'd be visiting mydomain.com to create each CNAME, but you only have one record to maintain beyond initial set-up.
Hopefully those options make sense.
Okay, let's take a deeper look at our DNS update requirements. We have two domains which need a record update. We'll address those by following the hierarchy:
mydomain.com
pfsense can send an update here as long as mydomain.com supports that. However, we need to change *something* here to have a delegation from this zone to a DNS server on a dynamic range.
; An SOA with some fabricated unrealistic values.
@ IN SOA ns1 email ( 2013101701 1 1 1 1 )
IN NS ns1
IN NS ns2
ns1 IN A 1.2.3.4
ns2 IN A 1.2.3.5
; Let's simplify conversations about Glue and give
; the name server we delegate "int" to a name here.
; I recommend you use a name like this (feel free to
; change the label name).
;
; We need a low TTL here to cope with changes. I've gone with 5 minutes.
ns3 300 IN A 7.6.5.4
; And now create the delegation
int IN NS ns3
; The name ns3 is arbitrary, so we could do this instead:
devsvr IN A 7.6.5.4
; And now create the delegation
int IN NS devsvr
The IP for the server we're delegating to changes, therefore we need to be able to send a dynamic update to this zone to change that. This really is the critical one, once we're inside and have absolute control of a server life is easier.Now we have the int zone, as a sub-domain of mydomain.com:
; An SOA with some fabricated unrealistic values.
@ IN SOA ns3.mydomain.com. email.mydomain.com. ( 2013101701 1 1 1 1 )
IN NS ns3
; We need to be able to change this too
devsvr IN A 7.6.5.4
; Alternatively we could CNAME it (just not at the same time as the record above)
devsvr IN CNAME ns3.mydomain.com.
; But we can do what we please with these
cust1 IN CNAME devsvr
cust2 IN CNAME devsvr
cust3 IN CNAME devsvr
cust4 IN CNAME devsvr
; Or we could use ns3 directly here
cust5 IN CNAME ns3.mydomain.com.
cust6 IN CNAME ns3.mydomain.com.
; We cannot do this however, it's out of zone data:
cust6.mydomain.com. IN A 7.6.5.4
So the critical part is getting that dynamic update back to the name server for mydomain.com. Once you've done that you can drag requests back to your main name server and do whatever you need.pfsense will have trouble updating the int zone. But we don't necessarily need to do anything there anyway if we use CNAME records referencing the A record in the parent zone.
Hopefully I haven't managed to contradict myself :)
Cheers,
Chris
ASKER
Hey Chris,
I'm still on it!
I understand what your saying but if you could be a little more specific It would help,
I must say though this is my first dns attempt and I find it very difficult.
I have more questions If you don't mind.
What are the names of those files? are they both "named.conf" one for pfsense and one for my devserver?
I would prefer not have any DNS services other than the rfc-2136 (dns updater) on the pfsense machine.
Am I making any sense?
I have yet to get my DNS server, on ISPconfig, working!
I don't understand the part where I need to dynamic update the mydomain.com
Could I not pass this update to my ISP instead of the mydomain host.
From this reading I was hoping this thing would not be that encompassing.
I understand I am also a bit high level with my communication.
Is there any way we could tackle this differently and still get your points value and then some?
Your help is very much appreciated and I'm looking forward to your answer
Best regards
Franck
I'm still on it!
I understand what your saying but if you could be a little more specific It would help,
I must say though this is my first dns attempt and I find it very difficult.
I have more questions If you don't mind.
What are the names of those files? are they both "named.conf" one for pfsense and one for my devserver?
I would prefer not have any DNS services other than the rfc-2136 (dns updater) on the pfsense machine.
Am I making any sense?
I have yet to get my DNS server, on ISPconfig, working!
I don't understand the part where I need to dynamic update the mydomain.com
Could I not pass this update to my ISP instead of the mydomain host.
From this reading I was hoping this thing would not be that encompassing.
I understand I am also a bit high level with my communication.
Is there any way we could tackle this differently and still get your points value and then some?
Your help is very much appreciated and I'm looking forward to your answer
Best regards
Franck
Good morning Franck,
I have a new diagram for you first. I'm hoping this helps clarify a little, perhaps I've misunderstood something in your intent so yell if any of the diagram is significantly wrong.
I've included the file names in those so you can link those up to anything you have already (named.conf does not include the keys configuration, that's assumed to be present). The examples I've used to date have been zone files.
Presumably your ISP is hosting the mydomain.com / domain.com system for you? If so, that's where the update needs to go from PFSense. In that sense, we may simply be talking cross purposes.
Adding the PFSense configuration to that we "should" have something like this:
The Server entry may need to be an IP address. The goal is to get the dynamic update to a willing server so we can change the record on ns1.domain.com (the ISP). Normally updates would be sent to the server listed in the SOA record, it holds the only writeable copy of a zone.
Finally, when reviewing this configuration it's important to understand how names in sub.domain.com will be resolved. The following process is used by a resolver:
1. Client requests record.sub.domain.com from it's local resolver.
2. Local resolver queries root hints (responsible for ".").
3. Root hints respond with "ask the TLD (Top Level Domain) holder, .com".
4. Local resolver queries servers responsible for .com.
5. .com servers respond with "ask ns1 or ns2.domain.com".
6. Local resolver queries ns1 or ns2.domain.com
7. ns1 or ns2 respond with "ask ns3.domain.com" (for record.sub.domain.com).
8. Local resolver queries ns3.domain.com
9. ns3.domain.com (hopefully) returns a valid answer for record.sub.domain.com.
Part or all of the queries above may be cached by the resolver (based on the TTL values for each). I wouldn't expect a resolver to do every single one of those steps every time.
I suspect our time zones are quite a long way out (London for me). which is adding quite a lot of latency into our conversation. I'm afraid there's not much of a way around that. Taking the conversation out of EE is against the rules, but it's unlikely to do much without being able to fix the time zone. I certainly appreciate your frustration though, it's one of those that really benefits from an hour in a meeting room with a white board to jot ideas on :)
Chris
I have a new diagram for you first. I'm hoping this helps clarify a little, perhaps I've misunderstood something in your intent so yell if any of the diagram is significantly wrong.
I've included the file names in those so you can link those up to anything you have already (named.conf does not include the keys configuration, that's assumed to be present). The examples I've used to date have been zone files.
Presumably your ISP is hosting the mydomain.com / domain.com system for you? If so, that's where the update needs to go from PFSense. In that sense, we may simply be talking cross purposes.
Adding the PFSense configuration to that we "should" have something like this:
Services > Dynamic DNS, RFC 2136 tab
Enable: Checked
Interface: WAN
Hostname: ns3.domain.com
TTL: 30
Key Name: ns3.domain.com
Key Type: Host
Key: Secret key from above
Server: ns1.domain.com
Protocol: Unchecked
Description: My DynDNS Entry
The ns3 name is arbitrary, you could make that anything you like. The Server entry may need to be an IP address. The goal is to get the dynamic update to a willing server so we can change the record on ns1.domain.com (the ISP). Normally updates would be sent to the server listed in the SOA record, it holds the only writeable copy of a zone.
Finally, when reviewing this configuration it's important to understand how names in sub.domain.com will be resolved. The following process is used by a resolver:
1. Client requests record.sub.domain.com from it's local resolver.
2. Local resolver queries root hints (responsible for ".").
3. Root hints respond with "ask the TLD (Top Level Domain) holder, .com".
4. Local resolver queries servers responsible for .com.
5. .com servers respond with "ask ns1 or ns2.domain.com".
6. Local resolver queries ns1 or ns2.domain.com
7. ns1 or ns2 respond with "ask ns3.domain.com" (for record.sub.domain.com).
8. Local resolver queries ns3.domain.com
9. ns3.domain.com (hopefully) returns a valid answer for record.sub.domain.com.
Part or all of the queries above may be cached by the resolver (based on the TTL values for each). I wouldn't expect a resolver to do every single one of those steps every time.
I suspect our time zones are quite a long way out (London for me). which is adding quite a lot of latency into our conversation. I'm afraid there's not much of a way around that. Taking the conversation out of EE is against the rules, but it's unlikely to do much without being able to fix the time zone. I certainly appreciate your frustration though, it's one of those that really benefits from an hour in a meeting room with a white board to jot ideas on :)
Chris
ASKER
Hey Chris, Thank's for the reply I will study carefully.
Now, I just noticed. I have a very basic problem!
I can't ping "google.com" anymore (don't know since when)
Have a look at this thread. What can I do with this ?
Thanks for the subdomain resolution clarification I get it.
How does the dynamic updates work?
Yes my time zone is EST-5 so nothing you can do there. I am the one being slow to reply, :(
Looking forward to your reply.
Thank's again
Best Regards
Franck
Now, I just noticed. I have a very basic problem!
I can't ping "google.com" anymore (don't know since when)
Have a look at this thread. What can I do with this ?
Thanks for the subdomain resolution clarification I get it.
How does the dynamic updates work?
Yes my time zone is EST-5 so nothing you can do there. I am the one being slow to reply, :(
Looking forward to your reply.
Thank's again
Best Regards
Franck
You've still got name resolution so something is still flowing.
Perhaps try:
telnet www.google.com 80
It should fail (to correspond with the timeout message), but it's not guaranteed.
If it does timeout you need to head to the next hop (pfsense?). Can you try anything from there? Does it implement any firewall rules? How about network address translation?
I'm not overly familiar with pfsense so it's difficult for me to give you any targeted advice, but it's the area I'd be intent on studying if I had the problem.
Chris
Perhaps try:
telnet www.google.com 80
It should fail (to correspond with the timeout message), but it's not guaranteed.
If it does timeout you need to head to the next hop (pfsense?). Can you try anything from there? Does it implement any firewall rules? How about network address translation?
I'm not overly familiar with pfsense so it's difficult for me to give you any targeted advice, but it's the area I'd be intent on studying if I had the problem.
Chris
ASKER
Hey Chris,
I have modified my approach
I am leaving aside the Dynamic DNS for now
Here is where I stand.
I need to setup my subdomain.
I have implemented DynDNS to fix my dynamic public address issue.
I have made proper redirection with my public host with a CNAME record.
I can now ping my internal domain name.
The setup for my ISPconfig Server and DNS is like this.
Server:
A sub.myhosteddomain.com 192.168.1.5
A mail 192.168.1.5
A www 192.168.1.5
MX sub.myhosteddomain.com mail.sub.myhosteddomain.co m.
NS sub.myhosteddomain.com ns2.sub.myhosteddomain.com .
NS sub.myhosteddomain.com ns1.sub.myhosteddomain.com .
Problems:
When I nslookup my LAN my internal domain it displays the ip of my Windows PDC. ???
When I nslookup the WAN I get
Non-authoritative answer:
sub.myhosteddomain.com canonical name = sub777.DynDNS.org.
Name: sub777.DynDNS.org
Address: 204.12.27.11 (my router WAN ip)
So someting is working!
If I try to nslookup my webserver1.sub.myhosteddom ain.com or my winpdc.sub.myhosteddomain. com
I get noting and an error: namerror.
Any sugestion or adive would help greatly.
Best Regards
Franck
I have modified my approach
I am leaving aside the Dynamic DNS for now
Here is where I stand.
I need to setup my subdomain.
I have implemented DynDNS to fix my dynamic public address issue.
I have made proper redirection with my public host with a CNAME record.
I can now ping my internal domain name.
The setup for my ISPconfig Server and DNS is like this.
Server:
IP: 192.168.1.5 / 255.255.255.0
Gateway: 192.168.1.1
hostname is webserver1.sub.myhosteddom ain.com
DNS Zone:Gateway: 192.168.1.1
hostname is webserver1.sub.myhosteddom
Zone(SOA): ns1.sub.myhosteddomain.com
DNS Zone records:A sub.myhosteddomain.com 192.168.1.5
A mail 192.168.1.5
A www 192.168.1.5
MX sub.myhosteddomain.com mail.sub.myhosteddomain.co
NS sub.myhosteddomain.com ns2.sub.myhosteddomain.com
NS sub.myhosteddomain.com ns1.sub.myhosteddomain.com
Problems:
When I nslookup my LAN my internal domain it displays the ip of my Windows PDC. ???
When I nslookup the WAN I get
Non-authoritative answer:
sub.myhosteddomain.com canonical name = sub777.DynDNS.org.
Name: sub777.DynDNS.org
Address: 204.12.27.11 (my router WAN ip)
So someting is working!
If I try to nslookup my webserver1.sub.myhosteddom
I get noting and an error: namerror.
Any sugestion or adive would help greatly.
Best Regards
Franck
> When I nslookup my LAN my internal domain it displays the ip of my Windows PDC. ???
I may be misinterpreting this, but a few posts ago I made the recommendation that you used different sub-domains for each fragment of your network. This is why :)
If the Windows DNS (or BIND, both have to do the same thing) server has a zone called sub.myhosteddomain.com it will not look elsewhere for answers about the zone. This is because it is a name server for the zone and knows the start of authority, it knows everything.
In addition to this, MS AD places some pretty heavy requirements on DNS. Records like sub.myhosteddomain.com (A) must be owned by Active Directory and cannot be changed to something else.
What Forward Lookup Zones do you have configured on the MS DNS server?
If you don't have a zone for sub.myhosteddomain.com on the server please can you run this and show me the output (sanitising where required):
nslookup -q=a -nosearch -d sub.myhosteddomain.com
> So someting is working!
That on the other hand is fantastic news :)
Chris
I may be misinterpreting this, but a few posts ago I made the recommendation that you used different sub-domains for each fragment of your network. This is why :)
If the Windows DNS (or BIND, both have to do the same thing) server has a zone called sub.myhosteddomain.com it will not look elsewhere for answers about the zone. This is because it is a name server for the zone and knows the start of authority, it knows everything.
In addition to this, MS AD places some pretty heavy requirements on DNS. Records like sub.myhosteddomain.com (A) must be owned by Active Directory and cannot be changed to something else.
What Forward Lookup Zones do you have configured on the MS DNS server?
If you don't have a zone for sub.myhosteddomain.com on the server please can you run this and show me the output (sanitising where required):
nslookup -q=a -nosearch -d sub.myhosteddomain.com
> So someting is working!
That on the other hand is fantastic news :)
Chris
ASKER
Hey Chris,
Sorry for my late response. I was caught up on other problems.
So many questions!
I will try to be as specific and explicit as possible, if you find anything I say to be ambiguous please yell at me :|
In response to your last post.
Yes I went with two internal domains
One the AD is called winad the other one the Bind DNS throught ISPConfig3 is called web.
Not sure I clearly understand what you mean when you speak about MS AD but maybe the fact that I'm using two zones on two different nameservers is simplifiying my setup (I hope :)
Then again I understand some of the implications of the Win AD related to my ISPConfig/Bind setup ... ... I understand that at some point I will need to have a DNS forward condition so my internal computer can access that "web" domain. Am I correct?
Also am I mistaking? If I was to forget about the fact that my router is getting a dynamic ip vs static. I should at least be able to get this working for a little while, then I could address this as a seperate issue.
Here is the state of my setup.
Relating to my WinPDC installed services and configuration I have:
Relating to My ISPConfig/BIND installed services and configuration I have:
Now how does this look like to you? Any errors? Anything missing.?
Do those internal IP's make sense?
When I use "dig -any" on "web.mypublicsite.com"
All I get is this!!!!
So something is wong!????
I should mention that my ISPConfig/DNS is not integrated with AD
PFSense is not integrated with AD or registerd with my ISPConfig/DNS it does not have any forwarders DNS . ?????
I have no forwarders in AD.
DHCP is not relayed to anything.
I created a CNAME record at mypublicsite.com to point back to my web.mydomain.com
I'm puzzeled ! what am I missing ???
I want to get over this ASAP.
Again I thank you very much for your guidance and counseling it is well appreciated.
I appreciate you cheering me up... I guess we all have to start somewhere! I hope I am getting closer and not being a pain!
Best Regards
Franck
Sorry for my late response. I was caught up on other problems.
So many questions!
I will try to be as specific and explicit as possible, if you find anything I say to be ambiguous please yell at me :|
In response to your last post.
Yes I went with two internal domains
One the AD is called winad the other one the Bind DNS throught ISPConfig3 is called web.
Not sure I clearly understand what you mean when you speak about MS AD but maybe the fact that I'm using two zones on two different nameservers is simplifiying my setup (I hope :)
Then again I understand some of the implications of the Win AD related to my ISPConfig/Bind setup ... ... I understand that at some point I will need to have a DNS forward condition so my internal computer can access that "web" domain. Am I correct?
Also am I mistaking? If I was to forget about the fact that my router is getting a dynamic ip vs static. I should at least be able to get this working for a little while, then I could address this as a seperate issue.
Here is the state of my setup.
Relating to my WinPDC installed services and configuration I have:
DHCP / DNS / AD
My forward zones are winad.mypublicsite.com & _msdcs.winad.mypublicsite. com
I also have the associated reverse zone.
My name server is winpdc.winad.mypublicsite. com
My forward zones are winad.mypublicsite.com & _msdcs.winad.mypublicsite.
I also have the associated reverse zone.
My name server is winpdc.winad.mypublicsite.
Relating to My ISPConfig/BIND installed services and configuration I have:
DNS / Webserver
Forward zone is web.mypublicsite.com / nameserver: webserver1.web.mypublicsit e.com
the zone file: (real ip's)
$TTL 3600
@ IN SOA webserver1.web.mypublicsit e.com. hostmaster.mypublicsite.co m. (
2013102901 ; serial, todays date + todays serial #
7200 ; refresh, seconds
540 ; retry, seconds
604800 ; expire, seconds
86400 ) ; minimum, seconds
;
mail 3600 A 192.168.1.5
web.mypublicsite.com. 3600 A 192.168.1.5
web.mypublicsite.com. 3600 MX 10 mail.web.mypublicsite.com.
web.mypublicsite.com. 3600 NS webserver1.web.mypublicsit e.com.
web.mypublicsite.com. 3600 NS webserver2.web.mypublicsit e.com.
www 3600 A 192.168.1.5
Forward zone is web.mypublicsite.com / nameserver: webserver1.web.mypublicsit
the zone file: (real ip's)
$TTL 3600
@ IN SOA webserver1.web.mypublicsit
2013102901 ; serial, todays date + todays serial #
7200 ; refresh, seconds
540 ; retry, seconds
604800 ; expire, seconds
86400 ) ; minimum, seconds
;
mail 3600 A 192.168.1.5
web.mypublicsite.com. 3600 A 192.168.1.5
web.mypublicsite.com. 3600 MX 10 mail.web.mypublicsite.com.
web.mypublicsite.com. 3600 NS webserver1.web.mypublicsit
web.mypublicsite.com. 3600 NS webserver2.web.mypublicsit
www 3600 A 192.168.1.5
Now how does this look like to you? Any errors? Anything missing.?
Do those internal IP's make sense?
When I use "dig -any" on "web.mypublicsite.com"
All I get is this!!!!
web.mypublicsite.com@8.8.4When I use a dig (any) on "winad.mypublicsite.com" I get about the same!.4 (Default):
web.mypublicsite.com. 1440 IN CNAME mypublicsite.dyndns.org.
So something is wong!????
I should mention that my ISPConfig/DNS is not integrated with AD
PFSense is not integrated with AD or registerd with my ISPConfig/DNS it does not have any forwarders DNS . ?????
I have no forwarders in AD.
DHCP is not relayed to anything.
I created a CNAME record at mypublicsite.com to point back to my web.mydomain.com
I'm puzzeled ! what am I missing ???
I want to get over this ASAP.
Again I thank you very much for your guidance and counseling it is well appreciated.
I appreciate you cheering me up... I guess we all have to start somewhere! I hope I am getting closer and not being a pain!
Best Regards
Franck
Morning Franck,
> One the AD is called winad the other one the Bind DNS throught ISPConfig3 is called web.
Good that immediately rules out the problem I highlighted above :)
> I understand that at some point I will need to have a DNS forward condition so my
> internal computer can access that "web" domain. Am I correct?
Yes, especially if web and winad share the same network segment; the public delegation, if configured, would not work in that scenario (bad return path if traffic is subject to NAT).
> So something is wong!????
Check for the delegation with:
dig web.mypublicsite.com ns
If that doesn't exist then nothing on your internal server can be referenced (without the conditional forwarder on winad).
I suspect you have a wildcard record in the zone, try:
dig madeup.mypublicsite.com any
If you get the same CNAME response then you do. That'll explain resolution for anything not explicitly created.
Cheers,
Chris
> One the AD is called winad the other one the Bind DNS throught ISPConfig3 is called web.
Good that immediately rules out the problem I highlighted above :)
> I understand that at some point I will need to have a DNS forward condition so my
> internal computer can access that "web" domain. Am I correct?
Yes, especially if web and winad share the same network segment; the public delegation, if configured, would not work in that scenario (bad return path if traffic is subject to NAT).
> So something is wong!????
Check for the delegation with:
dig web.mypublicsite.com ns
If that doesn't exist then nothing on your internal server can be referenced (without the conditional forwarder on winad).
I suspect you have a wildcard record in the zone, try:
dig madeup.mypublicsite.com any
If you get the same CNAME response then you do. That'll explain resolution for anything not explicitly created.
Cheers,
Chris
ASKER
Good day Chris,
>dig web.mypublicsite.com ns gives
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; ANSWER SECTION:
web.mypublicsite.com. 678 IN CNAME mypublicsite.dyndns.org.
dig madeup.mypublicsite.com any gives
Are those result showing proper resolution and no wildcard?
Also if on one of my internal computers I try to access web.mypublicsite.com
pfsense return and https page saying "potential DNS rebind attack" !!??
Cheers
Franck
>dig web.mypublicsite.com ns gives
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; ANSWER SECTION:
web.mypublicsite.com. 678 IN CNAME mypublicsite.dyndns.org.
dig madeup.mypublicsite.com any gives
nothing
Are those result showing proper resolution and no wildcard?
Also if on one of my internal computers I try to access web.mypublicsite.com
pfsense return and https page saying "potential DNS rebind attack" !!??
Cheers
Franck
Yep, that's all normal resolution.
But that's okay, we don't have a delegation at the moment, but you also cannot delegate to a CNAME (http://tools.ietf.org/html/rfc2181#section-10, 10.3). That is, you cannot do this:
The Rebind attack is described here:
https://doc.pfsense.org/index.php/DNS_Rebinding_Protections
It looks like pfsense is using TCP/443 as the administration port, you're trying to access pfsense using a name it doesn't recognise so it says no.
I've never used PfSense so I can't really tell you how to get it to handle the inbound traffic properly I'm afraid.
Chris
But that's okay, we don't have a delegation at the moment, but you also cannot delegate to a CNAME (http://tools.ietf.org/html/rfc2181#section-10, 10.3). That is, you cannot do this:
web.mypublicsite.com. IN NS web.mypublicsite.com.
web.mypublicsite.com. IN CNAME mypublicsite.dyndns.org.
But you can, potentially, do this to reference your internal DNS server:web.mypublicsite.com. IN NS mypublicsite.dyndns.org.
As long as mypublicsite.dyndns.org is an A record.The Rebind attack is described here:
https://doc.pfsense.org/index.php/DNS_Rebinding_Protections
It looks like pfsense is using TCP/443 as the administration port, you're trying to access pfsense using a name it doesn't recognise so it says no.
I've never used PfSense so I can't really tell you how to get it to handle the inbound traffic properly I'm afraid.
Chris
ASKER
Chris,
What do you mean we do not have delegation.
We cannot delegate to a cname ! are you talking about my cname record at mypublicsite.com?
My dyndns record is an a record.
Yes I get it with the DNS_rebind from pfsense I am investigating a solution
Franck
What do you mean we do not have delegation.
We cannot delegate to a cname ! are you talking about my cname record at mypublicsite.com?
My dyndns record is an a record.
Yes I get it with the DNS_rebind from pfsense I am investigating a solution
Franck
ASKER
Also do I need to register create an A record in my BIND DNS for pfsense
Apologies for the late reply, busy few days.
> We cannot delegate to a cname ! are you talking about my cname
> record at mypublicsite.com?
Yes, that's right. It only matters if you wish your web.mypublicsite.com DNS server to be accessible from outside your network.
> Also do I need to register create an A record in my BIND DNS for pfsense
I can't think of a reason you would need to so I'm inclined to say no.
How is everything at the moment? Any closer to working? :)
Chris
> We cannot delegate to a cname ! are you talking about my cname
> record at mypublicsite.com?
Yes, that's right. It only matters if you wish your web.mypublicsite.com DNS server to be accessible from outside your network.
> Also do I need to register create an A record in my BIND DNS for pfsense
I can't think of a reason you would need to so I'm inclined to say no.
How is everything at the moment? Any closer to working? :)
Chris
ASKER
Hey Chris,
I was able to fix my rebind problem by adding a dns forwarder in pfsense.
Not sure if it is the best or right way to do it though.
Further more and probably related to the fact that I don't have an A or NS record redirect!
I can access my web server internaly but not from the outside!
> But you can, potentially, do this to reference your internal DNS server:
> web.mypublicsite.com. IN NS mypublicsite.dyndns.org.
How and what service (free if possible) could I use to do that?
Regards
Franck
I was able to fix my rebind problem by adding a dns forwarder in pfsense.
Not sure if it is the best or right way to do it though.
Further more and probably related to the fact that I don't have an A or NS record redirect!
I can access my web server internaly but not from the outside!
> But you can, potentially, do this to reference your internal DNS server:
> web.mypublicsite.com. IN NS mypublicsite.dyndns.org.
How and what service (free if possible) could I use to do that?
Regards
Franck
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello Chris,
Sorry for the late response.
I am very happy to say that my solution is working!
Thank you very much for your awesome help insights and counseling.
Hope to speak again.
Best Regards
Franck
Sorry for the late response.
I am very happy to say that my solution is working!
Thank you very much for your awesome help insights and counseling.
Hope to speak again.
Best Regards
Franck
Fantastic, I'm really glad to hear it.
All the best,
Chris
All the best,
Chris
The public domain does, most registrars insist on a minimum of two (ideally geographically dispersed). In my case, I have one of my own (a VPS) and several slaves provided by my VPS host.
> Does the server need public ip or can they be private
It depends what you mean here.
The server itself does not need a public IP, but if it is serving a public zone it must be reachable on a public IP (and any A records used with NS records within the zone must reference that public IP). For small-scale DNS services I'd expect to find behind NAT.
If the domain (and / or sub-domain) is purely private it does not need to have any public addressing at all.
That may look like this:
In BIND that may look something like this:
Open in new window
If sub-domain must be publicly accessible then you'll need public IP addressing for all pertinent records.Okay, so looping back to the other thread you have this comment:
> 2- Considering that my router’s public ip is dynamic
You cannot run a public-facing DNS service for domain.com in this scenario. You can run sub.domain.com; provided you understand that resolution will break if the external IP changes.
Can you scribble down how you'd lay it out? I haven't read all of the threads you've attached so I may have missed it.
Cheers,
Chris