• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 356
  • Last Modified:

Internal DNS machine

I want to setup a DNS machine for my internal network, so that it will be able to find internal stuff on our networks, 192.16.1.0 and 192.168.2.0 as well as be able to use the ISPs DNS servers for external.  How would I do that?
0
iceman19330
Asked:
iceman19330
  • 11
  • 8
  • 2
  • +4
2 Solutions
 
PsiCopCommented:
Since you didn't bother to specify your platform or DNS server software or versions or much of anything else, this response is going to fairly generic.

Simply configure your DNS server as authoritative for your Zone(s). Point your internal hosts to your DNS server. When they ask for an FQDN in your Zone(s), your server considers itself authoritative for your Zone(s) and will answer without trying to refer the query elsewhere.

When your internal hosts ask for an FQDN that is not in your Zone, it will refer to whatever resolution information it's been given to determine where to refer the query.
0
 
ravenplCommented:
I suggest You to set up some dns proxy with cace. Personally I use: http://www.phys.uu.nl/~rombouts/pdnsd/index.html
There's pretty good documentation on howto use it.
0
 
Duncan RoeSoftware DeveloperCommented:
I do much what you want to (2 LANs dns authorative for them, all other queries to ISP, no downloading of zone files). This is my /etc/naned.conf:

acl "locals" { 10.255.255.0/24; 192.168.0.0/24; 127.0.0.0/8; };
options {
  directory "/var/named";
  forward only;
  forwarders { 198.142.0.51; 203.2.75.132; };
  allow-transfer { none; };
  allow-query { "locals"; };
  allow-recursion { "locals"; };
};

zone "mshome.net" IN {
  type master;
  file "mshome.net";
  forwarders { };
  allow-query { "locals"; };
  allow-transfer { "locals"; };
  allow-update { 192.168.0.120; };
};
zone "0.168.192.in-addr.arpa" IN {
  type master;
  file "ten.emohsm";
  forwarders { };
  allow-query { "locals"; };
  allow-transfer { "locals"; };
  allow-update { 192.168.0.120; };
};
zone "local.net" IN {
  type master;
  file "local.net";
  forwarders { };
  allow-query { "locals"; };
};
zone "255.255.10.in-addr.arpa" IN {
  type master;
  file "ten.lacol";
  forwarders { };
  allow-query { "locals"; };
};

mshome.net uses dynamic addresses served from the system running DNS; local.net has static addresses. Hope that gives you some pointers
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Dean ChafeeIT/InfoSec ManagerCommented:
You may want to check out VIEWS in BIND 9.  It allows you to resolve to internal IPs for requests from the LAN (or any specified subnet) and resolve to external IPs for requests from outside your network for the same zone.  This works great if you want to use the same FQDN from inside and outside.
FS-
0
 
iceman19330Author Commented:
Ahhh Yes I knew I was forgetting something.

FedoraCore 5, BIND 9.
0
 
PsiCopCommented:
Yes, the BIND 9 Views feature may be the best way to set this up with that product. What duncan_roe suggests will work, but is a bit of a kludge. Views reduces the kludge factor.
0
 
bryanlloydharrisCommented:
1. install slackware from disk 1 and disk 2 of the slackware set, using the default options and full install
2. login as root
3. type "chmod 755 /etc/rc.d/rc.bind"
4. type "/etc/rc.d/rc.bind start"
5. edit /etc/named.conf and add this at the bottom:

zone "microsoft.com" IN {
        type master;
        file "microsoft.com";
        allow-update { none; };
};

Then create a file such as /var/named/microsoft.com.

; Zone file for microsoft.com
$TTL 86400
@ IN SOA                ns101.microsoft.com. hostmaster.microsoft.com. (
                        3005012533      ; Zone Serial  - Date format + inc
                        10800           ; Refresh Time in Seconds - 3hr (10800)
                        3600            ; Retry Time in Seconds - 1 hr (3600)
                        604800          ; Expire Time in Seconds - 1 week (60480)
                        3600 )          ; Minimum TTL in Seconds - 1 day (86400)

                        IN      NS      ns101.microsoft.com.
                        IN      NS      ns102.microsoft.com.

                        IN      MX      10 mail.microsoft.com.

www                     IN      A       1.2.3.4
ftp                     IN      A       1.2.3.4
mail                    IN      A       1.2.3.4

When you've created the file, type "pkill -HUP named" and it will reload the settings.  To use the local nameserver in Windows, go to control panel -> network connections and edit the TCP/IP properties and change DNS servers.  In linux, edit /etc/resolv.conf.
0
 
kblack05Commented:
Iceman, I think if you read and follow this guide, it's exactly what you are looking for. David Ranch did a bang up job laying out the tutorial. How to run split DNS for internal and external networks using CHROOT to jail the daemon,

http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS/cHTML/TrinityOS-c-24.html
0
 
iceman19330Author Commented:
Thank you all so very much for all this information, there is a ton for me to go over.
Now the server is a mail server for the corporation, our ISP holds our DNS for website, mail and others do I need to also add those to my dns?

www IN A <some pub IP>
mail IN A <some pub IP> or <internal IP> or <both>
and the NS would be the NS that is our IP's NS servers.
0
 
kblack05Commented:
If your ISP is managing DNS for your site, then your server would essentially just become a method of speeding up your performance, and / or creating a way for you to have a differing INTERNAL resolution than EXTERNAL. For example if you have nodes on a 192.168.x.x address space that utilize your internal DNS system, you could have www.somedomain.com point to a 192.168.x.x address space rather than the fully qualified IP of said domain as the EXTERNAL dns (ISP) points to. This can be useful in dampening traffic, keeping external bandwidth clear, and reducing burden on DNS servers for the external clients.
0
 
iceman19330Author Commented:
So internally I could point mail.domain.com to 192.168.1.x rather then going external for the DNS on the ISP and then going to the external IP address for mail.domain.com.
0
 
kblack05Commented:
That's correct. This will increase performance, as well as give you some interesting abilities. For example say a bunch of your users on the Internal network are strung out on myspace. No problem. Just alias the domain myspace on your INTERNAL server ONLY to point to a local system. I've done this, and put up a web page for that system which read "Welcome to myjobspace.com, now get back to work!".

:D
0
 
kblack05Commented:
Also for mail you should make sure you have an "spf" record.

http://www.openspf.org/
0
 
iceman19330Author Commented:
I will look into the SPF.  I have been looking for something like that since a lot of our business is done back and forth to customer via email.
0
 
kblack05Commented:
Good. Also note that if you have problems with employees sending mail somewhere they shouldn't or any other type of internal behavior, DNS can be used to thwart such behavior. You can also lighted the load on the DNS for external users, get better control over who can and CANNOT mail you. For example say you don't like domain.com, well simply alias that to a black hole in DNS.

http://www.bleedingthreats.net/blackhole-dns/
0
 
iceman19330Author Commented:
I am liking this more and more.  :)
0
 
iceman19330Author Commented:
kblack05 can you view my profile and check for my AIM name I have a slightly off topic question.
0
 
kblack05Commented:
Sorry, AIM is blocked at the firewall level here...
0
 
iceman19330Author Commented:
email okay?
0
 
iceman19330Author Commented:
once you have it let me know, I dont like leaving it out there
0
 
kblack05Commented:
We are not supposed to refer outside EE for any other types of questions. This is a good way for me to get my account killed.

Can you ask the question here? (see profile)
0
 
iceman19330Author Commented:
Oh I'm sorry I didn't realize that.
0
 
iceman19330Author Commented:
It had to do with some specifics about my networks that I did not want to really make published on the web.
0
 
kblack05Commented:
Check the box?
0
 
iceman19330Author Commented:
Well maybe I should just figure it out with using generic information.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

  • 11
  • 8
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now