[GLLUG] internal and external DNS
Scott Overfield
soverfield@gccmha.org
Fri, 22 Feb 2002 13:22:55 -0500
Thanks again for all of your help.....BIND is up and running, resolving
internally and forwarding externally, and allowing dynamic updates from
active directory........*nix rules, mickeysoft drools....
-----Original Message-----
From: Mike Rambo [mailto:mrambo@lsd.k12.mi.us]
Sent: Thursday, February 21, 2002 8:10 AM
To: Scott Overfield
Subject: Re: [GLLUG] internal and external DNS
> Scott Overfield wrote:
>
> Good Morning,
> Here is my question.......My ISP hosts my DNS for routable addresses,
> I would, however, like to set up a non-microsoft DNS server for my
> LAN, which is using non-routable addresses....What is the best way to
> accomplishing this? I do have a dual homed FreeBSD box set up behind
> my firewall, functioning as a NAT box to provide internet access from
> the LAN....could this box possibly be set up to respond to internal
> DNS queries, and forward all others to the ISP's DNS server? If so,
> how is this configured? Please excuse me if this is a newby question,
> I have zero experience with BIND or any DNS server other than
> microsoft......however, I am interested in banishing windoze, at least
> from the server room....I thought this might be a good place to
> start.....
>
Hi Scott, Matt asked this question yesterday. Maybe I should have responded
to the list but since the answer I gave him was long I didn't want to send
it to a public list. I'll supply you with the same info and examples. Note
however that this is for Linux. I would hope BSD would be similar but since
I've never used it I have no idea. I'll include the stuff I sent him for
both a simple static setup as well as a dynamic setup using ISC's bind along
with their DHCP product.
Hope this helps...
Matt Fuerst wrote:
>
> I want to set up my own DNS... it can't be that hard. I am really
> looking for an existing file for a simple domain that I can copy and
> modify.... I am planning on using BIND 9, but am totally flexible..
>
I think someone already pointed you to the How-to's - which is good - but
having been through this myself a couple years ago I understand how helpful
examples are. Here are a few...
(1) Simple static DNS.
First file is /etc/named.conf
[mrambo@mrambo tmp]$ more named.conf
// generated by named-bootconf.pl
options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
query-source address * port 53;
/* forwarders {
* 207.73.196.250;
* 35.8.2.58;
*/ };
};
//
// a caching only nameserver config
//
zone "." {
type hint;
file "named.ca";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "named.local";
};
//
// add custom domains here
//
zone "imcdomain.com"{
type master;
file "imcdomain.com";
notify no;
};
zone "1.168.192.IN-ADDR.ARPA"{
type master;
file "192.168.1";
notify no;
};
If you have bind installed you probably already have this file
(named.conf) and the two files associated with the caching name server. All
you need to add is your internal/custom/private/whatever domains as shown.
An important part on your own domains is the 'notify no'. It prevents your
name server from attempting to update upstream DNS server with info about
your domain. This is something desireable only if you're working with public
IP address space and you have arranged with your upsteam DNS to be able to
do updates - it is definitely a no-no if you're using private IP space (ie
10.x.x.x 192.168.x.x etc.). You will want both a forward (imcdomain.com
which locates IP by NAME) and reverse (192.168.1 which locates NAME by IP)
lookup file for each private domain.
Second file is /var/named/192.168.1
[mrambo@mrambo tmp]$ more /mnt/floppy/templates/192.168.1
@ IN SOA localhost. root.localhost. (
1999122004 ; serial
3600 ; refresh
900 ; retry
1209600 ; expire
43200 ; default_ttl
)
@ IN NS localhost.
1 IN PTR linuxbox.imcdomain.com.
11 IN PTR jvan.imcdomain.com.
12 IN PTR mrambo.imcdomain.com.
13 IN PTR kmorris.imcdomain.com.
Last file is /var/named/imcdomain.com
[mrambo@mrambo tmp]$ more /mnt/floppy/templates/imcdomain.com
@ IN SOA localhost. root.localhost. (
1999122012 ; serial
3600 ; refresh
900 ; retry
1209600 ; expire
43200 ; default_ttl
)
@ IN NS localhost.
@ IN A 192.168.1.0
@ IN MX 5 linuxbox.imcdomain.com.
linuxbox IN A 192.168.1.1
jvan IN A 192.168.1.11
mrambo IN A 192.168.1.12
kmorris IN A 192.168.1.13
repair IN A 10.8.24.7
I think the biggest gotcha here is the serial number. It must be incremented
each time you update the DNS information because the named server only
reloads the data if the serial number has been incremented from the last
time it was loaded. I suspect the serial number can actually be just about
anything but custom dictates that it be in the form of YYYYMMDD## to
indicate the date it was updated and how many times in the day it has been
updated. Makes me wonder why I had updated this DNS infomation 12 times on
that day ;-). Also note the MX (mail
server) entry. The 5 is something to do with priority but I forget the
details. One last comment I'll make is that our domain really should have
been imcdomain.local instead of .com because we're totally in private IP
space. I was pretty green when I did this and was basically shooting from
the hip (didn't know what I was doing). But it works fine so I've never
changed it.
(2) Here is the setup for dynamic DNS - a little more complex.
First file is /etc/dhcpd.conf
[mrambo@mrambo tmp]$ more dhcpd.conf
# Dynamic Host Configuration Protocol
# DHCPd Daemon Configuration File
# MHR last updated July 2001
# dlt=43200sec=12hours, mlt=259200sec=72hours
#
default-lease-time 43200;
max-lease-time 259200;
option domain-name-servers 10.8.24.7, 207.73.196.250;
option domain-name "imcdomain.com";
# wins server - hybrid type (wins - broadcast)
option netbios-name-servers 192.168.1.1;
option netbios-node-type 8;
# ddns-update-style can be 'none', 'ad-hoc', or 'interim' ddns-update-style
ad-hoc; ddns-domainname "imcdomain.com"; ddns-rev-domainname "in-addr.arpa";
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.20 192.168.1.250;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.1;
key DHCP_UPDATER {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
secret pRP5<munged>Q==;
};
zone IMCDOMAIN.COM. {
primary 127.0.0.1;
key DHCP_UPDATER;
}
zone 1.168.192.in-addr.arpa. {
primary 127.0.0.1;
key DHCP_UPDATER;
}
}
subnet 10.8.24.0 netmask 255.255.255.0 {
}
The box this runs on also serves as a router/firewall to another network
- thus it has two network cards. DHCPd requires that there be a subnet
declaration for every network on the box - even if not all of them will be
used by DHCPd for leases. This is why there is an empty subnet declaration
for the second subnet at the bottom of the file.
Second file is /etc/named.conf
[mrambo@mrambo tmp]$ more named.conf
// generated by named-bootconf.pl
options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
query-source address * port 53;
/* forwarders {
* 207.73.196.250;
* 35.8.2.58;
*/ };
};
key DHCP_UPDATER {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
secret pRP5<munged>Q==;
};
//
// a caching only nameserver config
//
zone "." {
type hint;
file "named.ca";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "named.local";
};
//
// add custom zones here
//
zone "imcdomain.com"{
type master;
file "imcdomain.com";
notify no;
allow-update { key DHCP_UPDATER; };
};
zone "1.168.192.IN-ADDR.ARPA"{
type master;
file "192.168.1";
notify no;
allow-update { key DHCP_UPDATER; };
};
I know from experience that some of this is slightly altered with bind 9
because I went through setting this up on a friends redhat 7.2 box. I don't
have access to the altered files right now but if you can't figure it out I
can probably get them.
Third file is /var/named/imcdomain.com. I include these last two files for
reference only. In my experience you can use the simpler files I sent in the
last email and the newer versions of bind will work with them and modify
them as it wants.
[mrambo@mrambo tmp]$ more imcdomain.com
;BIND DUMP V8
$ORIGIN com.
imcdomain 43200 IN SOA localhost. root.localhost. (
2001083061 3600 900 1209600 43200 ) ;Cl=2
43200 IN NS localhost. ;Cl=2
43200 IN A 192.168.1.0 ;Cl=2
43200 IN MX 5 linuxbox.imcdomain.com. ;Cl=2
$ORIGIN imcdomain.com.
mrambo 43200 IN A 192.168.1.12 ;Cl=2
jvanlinux 129600 IN A 192.168.1.74 ;Cl=2
linuxbox 43200 IN A 192.168.1.1 ;Cl=2
repair 43200 IN A 10.8.24.7 ;Cl=2
$ORIGIN imcdomain.com.imcdomain.com.
hawkeye 21600 IN A 192.168.1.2 ;Cl=2
$ORIGIN linuxbox.imcdomain.com.
msn 43200 IN A 192.168.1.1 ;Cl=2
jud 43200 IN A 192.168.1.1 ;Cl=2
aim 43200 IN A 192.168.1.1 ;Cl=2
yahoo 43200 IN A 192.168.1.1 ;Cl=2
icq 43200 IN A 192.168.1.1 ;Cl=2
conference 43200 IN A 192.168.1.1 ;Cl=2
This file was once exactly like the other example I sent in the last email.
All the changes are from the newer versions of bind (8.2.3 in this case)
that support the DNS updating. In reality most of this file is still static
information. You may find that bind will keep a second file (of same name
only with .log appended) that tracks dynamic leases as they occur. It
appears that over time some of those dynamic entries will be finally
included in the main file but I don't know what actually triggers this or
what the conditions must be. Or maybe not, I just looked and it looks like
the last time I updated bind on this box the behavior for DNS updating may
have changed. I don't see any .log files anymore. In any case, the jvanlinux
entry is actually the only dynamic entry in this file. As a side note, all
the stuff at the bottom (from msn through conference) is related to the
jabber service we run on this server - we like the unified IM ;-).
Fourth file is /var/named/192.168.1
[mrambo@mrambo tmp]$ more 192.168.1
;BIND DUMP V8
$ORIGIN 168.192.IN-ADDR.ARPA.
1 43200 IN SOA localhost. root.localhost. (
2001083051 3600 900 1209600 43200 ) ;Cl=5
43200 IN NS localhost. ;Cl=5
$ORIGIN 1.168.192.in-addr.arpa.
12 43200 IN PTR mrambo.imcdomain.com. ;Cl=5
74 129600 IN PTR jvanlinux.imcdomain.com. ;Cl=5
1 43200 IN PTR linuxbox.imcdomain.com. ;Cl=5
2 43200 IN PTR hawkeye.imcdomain.com. ;Cl=5
Once again the only dynamic entry here is for jvanlinux. (You can see the
the dhcp scope is from .20 to .250 in the dhcpd.conf file above.) I hope
this is clear enough to help...
--
Mike Rambo
mrambo@lsd.k12.mi.us