Solved

Internal DNS machine

Posted on 2006-11-08
25
333 Views
Last Modified: 2011-04-14
I want to setup a DNS machine for my internal network, so that it will be able to find internal stuff on our networks, 192.16.1.0 and 192.168.2.0 as well as be able to use the ISPs DNS servers for external.  How would I do that?
0
Comment
Question by:iceman19330
  • 11
  • 8
  • 2
  • +4
25 Comments
 
LVL 34

Expert Comment

by:PsiCop
ID: 17900621
Since you didn't bother to specify your platform or DNS server software or versions or much of anything else, this response is going to fairly generic.

Simply configure your DNS server as authoritative for your Zone(s). Point your internal hosts to your DNS server. When they ask for an FQDN in your Zone(s), your server considers itself authoritative for your Zone(s) and will answer without trying to refer the query elsewhere.

When your internal hosts ask for an FQDN that is not in your Zone, it will refer to whatever resolution information it's been given to determine where to refer the query.
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17900625
I suggest You to set up some dns proxy with cace. Personally I use: http://www.phys.uu.nl/~rombouts/pdnsd/index.html
There's pretty good documentation on howto use it.
0
 
LVL 34

Assisted Solution

by:Duncan Roe
Duncan Roe earned 200 total points
ID: 17901729
I do much what you want to (2 LANs dns authorative for them, all other queries to ISP, no downloading of zone files). This is my /etc/naned.conf:

acl "locals" { 10.255.255.0/24; 192.168.0.0/24; 127.0.0.0/8; };
options {
  directory "/var/named";
  forward only;
  forwarders { 198.142.0.51; 203.2.75.132; };
  allow-transfer { none; };
  allow-query { "locals"; };
  allow-recursion { "locals"; };
};

zone "mshome.net" IN {
  type master;
  file "mshome.net";
  forwarders { };
  allow-query { "locals"; };
  allow-transfer { "locals"; };
  allow-update { 192.168.0.120; };
};
zone "0.168.192.in-addr.arpa" IN {
  type master;
  file "ten.emohsm";
  forwarders { };
  allow-query { "locals"; };
  allow-transfer { "locals"; };
  allow-update { 192.168.0.120; };
};
zone "local.net" IN {
  type master;
  file "local.net";
  forwarders { };
  allow-query { "locals"; };
};
zone "255.255.10.in-addr.arpa" IN {
  type master;
  file "ten.lacol";
  forwarders { };
  allow-query { "locals"; };
};

mshome.net uses dynamic addresses served from the system running DNS; local.net has static addresses. Hope that gives you some pointers
0
 
LVL 9

Expert Comment

by:FixingStuff
ID: 17904429
You may want to check out VIEWS in BIND 9.  It allows you to resolve to internal IPs for requests from the LAN (or any specified subnet) and resolve to external IPs for requests from outside your network for the same zone.  This works great if you want to use the same FQDN from inside and outside.
FS-
0
 

Author Comment

by:iceman19330
ID: 17906220
Ahhh Yes I knew I was forgetting something.

FedoraCore 5, BIND 9.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 17908206
Yes, the BIND 9 Views feature may be the best way to set this up with that product. What duncan_roe suggests will work, but is a bit of a kludge. Views reduces the kludge factor.
0
 
LVL 3

Expert Comment

by:bryanlloydharris
ID: 17909188
1. install slackware from disk 1 and disk 2 of the slackware set, using the default options and full install
2. login as root
3. type "chmod 755 /etc/rc.d/rc.bind"
4. type "/etc/rc.d/rc.bind start"
5. edit /etc/named.conf and add this at the bottom:

zone "microsoft.com" IN {
        type master;
        file "microsoft.com";
        allow-update { none; };
};

Then create a file such as /var/named/microsoft.com.

; Zone file for microsoft.com
$TTL 86400
@ IN SOA                ns101.microsoft.com. hostmaster.microsoft.com. (
                        3005012533      ; Zone Serial  - Date format + inc
                        10800           ; Refresh Time in Seconds - 3hr (10800)
                        3600            ; Retry Time in Seconds - 1 hr (3600)
                        604800          ; Expire Time in Seconds - 1 week (60480)
                        3600 )          ; Minimum TTL in Seconds - 1 day (86400)

                        IN      NS      ns101.microsoft.com.
                        IN      NS      ns102.microsoft.com.

                        IN      MX      10 mail.microsoft.com.

www                     IN      A       1.2.3.4
ftp                     IN      A       1.2.3.4
mail                    IN      A       1.2.3.4

When you've created the file, type "pkill -HUP named" and it will reload the settings.  To use the local nameserver in Windows, go to control panel -> network connections and edit the TCP/IP properties and change DNS servers.  In linux, edit /etc/resolv.conf.
0
 
LVL 11

Accepted Solution

by:
kblack05 earned 300 total points
ID: 17911056
Iceman, I think if you read and follow this guide, it's exactly what you are looking for. David Ranch did a bang up job laying out the tutorial. How to run split DNS for internal and external networks using CHROOT to jail the daemon,

http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS/cHTML/TrinityOS-c-24.html
0
 

Author Comment

by:iceman19330
ID: 17913810
Thank you all so very much for all this information, there is a ton for me to go over.
Now the server is a mail server for the corporation, our ISP holds our DNS for website, mail and others do I need to also add those to my dns?

www IN A <some pub IP>
mail IN A <some pub IP> or <internal IP> or <both>
and the NS would be the NS that is our IP's NS servers.
0
 
LVL 11

Expert Comment

by:kblack05
ID: 17914738
If your ISP is managing DNS for your site, then your server would essentially just become a method of speeding up your performance, and / or creating a way for you to have a differing INTERNAL resolution than EXTERNAL. For example if you have nodes on a 192.168.x.x address space that utilize your internal DNS system, you could have www.somedomain.com point to a 192.168.x.x address space rather than the fully qualified IP of said domain as the EXTERNAL dns (ISP) points to. This can be useful in dampening traffic, keeping external bandwidth clear, and reducing burden on DNS servers for the external clients.
0
 

Author Comment

by:iceman19330
ID: 17914834
So internally I could point mail.domain.com to 192.168.1.x rather then going external for the DNS on the ISP and then going to the external IP address for mail.domain.com.
0
 
LVL 11

Expert Comment

by:kblack05
ID: 17914858
That's correct. This will increase performance, as well as give you some interesting abilities. For example say a bunch of your users on the Internal network are strung out on myspace. No problem. Just alias the domain myspace on your INTERNAL server ONLY to point to a local system. I've done this, and put up a web page for that system which read "Welcome to myjobspace.com, now get back to work!".

:D
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 11

Expert Comment

by:kblack05
ID: 17914870
Also for mail you should make sure you have an "spf" record.

http://www.openspf.org/
0
 

Author Comment

by:iceman19330
ID: 17914888
I will look into the SPF.  I have been looking for something like that since a lot of our business is done back and forth to customer via email.
0
 
LVL 11

Expert Comment

by:kblack05
ID: 17915103
Good. Also note that if you have problems with employees sending mail somewhere they shouldn't or any other type of internal behavior, DNS can be used to thwart such behavior. You can also lighted the load on the DNS for external users, get better control over who can and CANNOT mail you. For example say you don't like domain.com, well simply alias that to a black hole in DNS.

http://www.bleedingthreats.net/blackhole-dns/
0
 

Author Comment

by:iceman19330
ID: 17915125
I am liking this more and more.  :)
0
 

Author Comment

by:iceman19330
ID: 17916208
kblack05 can you view my profile and check for my AIM name I have a slightly off topic question.
0
 
LVL 11

Expert Comment

by:kblack05
ID: 17916656
Sorry, AIM is blocked at the firewall level here...
0
 

Author Comment

by:iceman19330
ID: 17916670
email okay?
0
 

Author Comment

by:iceman19330
ID: 17916681
once you have it let me know, I dont like leaving it out there
0
 
LVL 11

Expert Comment

by:kblack05
ID: 17916684
We are not supposed to refer outside EE for any other types of questions. This is a good way for me to get my account killed.

Can you ask the question here? (see profile)
0
 

Author Comment

by:iceman19330
ID: 17916716
Oh I'm sorry I didn't realize that.
0
 

Author Comment

by:iceman19330
ID: 17916731
It had to do with some specifics about my networks that I did not want to really make published on the web.
0
 
LVL 11

Expert Comment

by:kblack05
ID: 17916733
Check the box?
0
 

Author Comment

by:iceman19330
ID: 17916745
Well maybe I should just figure it out with using generic information.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Currently, there is not an RPM package available under the RHEL/Fedora/CentOS distributions that gives you a quick and easy way to allow PHP to interface with Oracle. As a result, I have included a set of instructions on how to do this with minimal …
Using 'screen' for session sharing, The Simple Edition Step 1: user starts session with command: screen Step 2: other user (logged in with same user account) connects with command: screen -x Done. Both users are connected to the same CLI sessio…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now