Solved

Internal DNS machine

Posted on 2006-11-08
25
343 Views
Last Modified: 2011-04-14
I want to setup a DNS machine for my internal network, so that it will be able to find internal stuff on our networks, 192.16.1.0 and 192.168.2.0 as well as be able to use the ISPs DNS servers for external.  How would I do that?
0
Comment
Question by:iceman19330
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 8
  • 2
  • +4
25 Comments
 
LVL 34

Expert Comment

by:PsiCop
ID: 17900621
Since you didn't bother to specify your platform or DNS server software or versions or much of anything else, this response is going to fairly generic.

Simply configure your DNS server as authoritative for your Zone(s). Point your internal hosts to your DNS server. When they ask for an FQDN in your Zone(s), your server considers itself authoritative for your Zone(s) and will answer without trying to refer the query elsewhere.

When your internal hosts ask for an FQDN that is not in your Zone, it will refer to whatever resolution information it's been given to determine where to refer the query.
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17900625
I suggest You to set up some dns proxy with cace. Personally I use: http://www.phys.uu.nl/~rombouts/pdnsd/index.html
There's pretty good documentation on howto use it.
0
 
LVL 34

Assisted Solution

by:Duncan Roe
Duncan Roe earned 200 total points
ID: 17901729
I do much what you want to (2 LANs dns authorative for them, all other queries to ISP, no downloading of zone files). This is my /etc/naned.conf:

acl "locals" { 10.255.255.0/24; 192.168.0.0/24; 127.0.0.0/8; };
options {
  directory "/var/named";
  forward only;
  forwarders { 198.142.0.51; 203.2.75.132; };
  allow-transfer { none; };
  allow-query { "locals"; };
  allow-recursion { "locals"; };
};

zone "mshome.net" IN {
  type master;
  file "mshome.net";
  forwarders { };
  allow-query { "locals"; };
  allow-transfer { "locals"; };
  allow-update { 192.168.0.120; };
};
zone "0.168.192.in-addr.arpa" IN {
  type master;
  file "ten.emohsm";
  forwarders { };
  allow-query { "locals"; };
  allow-transfer { "locals"; };
  allow-update { 192.168.0.120; };
};
zone "local.net" IN {
  type master;
  file "local.net";
  forwarders { };
  allow-query { "locals"; };
};
zone "255.255.10.in-addr.arpa" IN {
  type master;
  file "ten.lacol";
  forwarders { };
  allow-query { "locals"; };
};

mshome.net uses dynamic addresses served from the system running DNS; local.net has static addresses. Hope that gives you some pointers
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 9

Expert Comment

by:FixingStuff
ID: 17904429
You may want to check out VIEWS in BIND 9.  It allows you to resolve to internal IPs for requests from the LAN (or any specified subnet) and resolve to external IPs for requests from outside your network for the same zone.  This works great if you want to use the same FQDN from inside and outside.
FS-
0
 

Author Comment

by:iceman19330
ID: 17906220
Ahhh Yes I knew I was forgetting something.

FedoraCore 5, BIND 9.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 17908206
Yes, the BIND 9 Views feature may be the best way to set this up with that product. What duncan_roe suggests will work, but is a bit of a kludge. Views reduces the kludge factor.
0
 
LVL 3

Expert Comment

by:bryanlloydharris
ID: 17909188
1. install slackware from disk 1 and disk 2 of the slackware set, using the default options and full install
2. login as root
3. type "chmod 755 /etc/rc.d/rc.bind"
4. type "/etc/rc.d/rc.bind start"
5. edit /etc/named.conf and add this at the bottom:

zone "microsoft.com" IN {
        type master;
        file "microsoft.com";
        allow-update { none; };
};

Then create a file such as /var/named/microsoft.com.

; Zone file for microsoft.com
$TTL 86400
@ IN SOA                ns101.microsoft.com. hostmaster.microsoft.com. (
                        3005012533      ; Zone Serial  - Date format + inc
                        10800           ; Refresh Time in Seconds - 3hr (10800)
                        3600            ; Retry Time in Seconds - 1 hr (3600)
                        604800          ; Expire Time in Seconds - 1 week (60480)
                        3600 )          ; Minimum TTL in Seconds - 1 day (86400)

                        IN      NS      ns101.microsoft.com.
                        IN      NS      ns102.microsoft.com.

                        IN      MX      10 mail.microsoft.com.

www                     IN      A       1.2.3.4
ftp                     IN      A       1.2.3.4
mail                    IN      A       1.2.3.4

When you've created the file, type "pkill -HUP named" and it will reload the settings.  To use the local nameserver in Windows, go to control panel -> network connections and edit the TCP/IP properties and change DNS servers.  In linux, edit /etc/resolv.conf.
0
 
LVL 11

Accepted Solution

by:
kblack05 earned 300 total points
ID: 17911056
Iceman, I think if you read and follow this guide, it's exactly what you are looking for. David Ranch did a bang up job laying out the tutorial. How to run split DNS for internal and external networks using CHROOT to jail the daemon,

http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS/cHTML/TrinityOS-c-24.html
0
 

Author Comment

by:iceman19330
ID: 17913810
Thank you all so very much for all this information, there is a ton for me to go over.
Now the server is a mail server for the corporation, our ISP holds our DNS for website, mail and others do I need to also add those to my dns?

www IN A <some pub IP>
mail IN A <some pub IP> or <internal IP> or <both>
and the NS would be the NS that is our IP's NS servers.
0
 
LVL 11

Expert Comment

by:kblack05
ID: 17914738
If your ISP is managing DNS for your site, then your server would essentially just become a method of speeding up your performance, and / or creating a way for you to have a differing INTERNAL resolution than EXTERNAL. For example if you have nodes on a 192.168.x.x address space that utilize your internal DNS system, you could have www.somedomain.com point to a 192.168.x.x address space rather than the fully qualified IP of said domain as the EXTERNAL dns (ISP) points to. This can be useful in dampening traffic, keeping external bandwidth clear, and reducing burden on DNS servers for the external clients.
0
 

Author Comment

by:iceman19330
ID: 17914834
So internally I could point mail.domain.com to 192.168.1.x rather then going external for the DNS on the ISP and then going to the external IP address for mail.domain.com.
0
 
LVL 11

Expert Comment

by:kblack05
ID: 17914858
That's correct. This will increase performance, as well as give you some interesting abilities. For example say a bunch of your users on the Internal network are strung out on myspace. No problem. Just alias the domain myspace on your INTERNAL server ONLY to point to a local system. I've done this, and put up a web page for that system which read "Welcome to myjobspace.com, now get back to work!".

:D
0
 
LVL 11

Expert Comment

by:kblack05
ID: 17914870
Also for mail you should make sure you have an "spf" record.

http://www.openspf.org/
0
 

Author Comment

by:iceman19330
ID: 17914888
I will look into the SPF.  I have been looking for something like that since a lot of our business is done back and forth to customer via email.
0
 
LVL 11

Expert Comment

by:kblack05
ID: 17915103
Good. Also note that if you have problems with employees sending mail somewhere they shouldn't or any other type of internal behavior, DNS can be used to thwart such behavior. You can also lighted the load on the DNS for external users, get better control over who can and CANNOT mail you. For example say you don't like domain.com, well simply alias that to a black hole in DNS.

http://www.bleedingthreats.net/blackhole-dns/
0
 

Author Comment

by:iceman19330
ID: 17915125
I am liking this more and more.  :)
0
 

Author Comment

by:iceman19330
ID: 17916208
kblack05 can you view my profile and check for my AIM name I have a slightly off topic question.
0
 
LVL 11

Expert Comment

by:kblack05
ID: 17916656
Sorry, AIM is blocked at the firewall level here...
0
 

Author Comment

by:iceman19330
ID: 17916670
email okay?
0
 

Author Comment

by:iceman19330
ID: 17916681
once you have it let me know, I dont like leaving it out there
0
 
LVL 11

Expert Comment

by:kblack05
ID: 17916684
We are not supposed to refer outside EE for any other types of questions. This is a good way for me to get my account killed.

Can you ask the question here? (see profile)
0
 

Author Comment

by:iceman19330
ID: 17916716
Oh I'm sorry I didn't realize that.
0
 

Author Comment

by:iceman19330
ID: 17916731
It had to do with some specifics about my networks that I did not want to really make published on the web.
0
 
LVL 11

Expert Comment

by:kblack05
ID: 17916733
Check the box?
0
 

Author Comment

by:iceman19330
ID: 17916745
Well maybe I should just figure it out with using generic information.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using 'screen' for session sharing, The Simple Edition Step 1: user starts session with command: screen Step 2: other user (logged in with same user account) connects with command: screen -x Done. Both users are connected to the same CLI sessio…
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question