Quantcast

Setting up DNS; Internet and Intranet questions

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Setting up DNS; Internet and Intranet questions

Dan Thurman

I have a setup as follows:

1) ISP->pass-thru-DSL-router->firewall-appliance w/ NAT support
2) NAT->DNS(Internet)

Let's assume:
a) ISP provided static IP is: 111.111.111.1
b) Firewall allows access to DNS port 53
c) Intranet addresses are: 10.0.0.x

Q1: In setting up a DNS server for Internet,
    is it required that I setup mydomain.com
    zone for 111.111.111.x addresses or can I
    use 10.0.0.x addresses since NAT is involved?

    What I am trying to understand here, am I required
    to setup seperate DNS servers, one for Internet
    (for 111.111.111.x) and one for Intranet (for 10.0.0.x)?

The trouble that I am running into is that I am not able
to get reverse DNS to work even through I have PTR fields
defined but they are of 10.0.0.x addresses and I am not
seeing rDNS resolvers.

Thanks!
Dan

--
fedora-list mailing list
[hidden email]
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Setting up DNS; Internet and Intranet questions

Thomas Cameron

On Tue, 2008-05-27 at 07:44 -0700, Daniel B. Thurman wrote:

> I have a setup as follows:
>
> 1) ISP->pass-thru-DSL-router->firewall-appliance w/ NAT support
> 2) NAT->DNS(Internet)
>
> Let's assume:
> a) ISP provided static IP is: 111.111.111.1
> b) Firewall allows access to DNS port 53
> c) Intranet addresses are: 10.0.0.x
>
> Q1: In setting up a DNS server for Internet,
>     is it required that I setup mydomain.com
>     zone for 111.111.111.x addresses or can I
>     use 10.0.0.x addresses since NAT is involved?
>
>     What I am trying to understand here, am I required
>     to setup seperate DNS servers, one for Internet
>     (for 111.111.111.x) and one for Intranet (for 10.0.0.x)?
>
> The trouble that I am running into is that I am not able
> to get reverse DNS to work even through I have PTR fields
> defined but they are of 10.0.0.x addresses and I am not
> seeing rDNS resolvers.

Where is your DNS server?  Is it behind the firewall?

Here's what I have:

*) 1 Linux firewall connected to my ISP (public address) - uses iptables
with SNAT so the internal private network can get to the Internet.

*) 2 machines inside the firewall running forward and reverse DNS, DHCP
and so on.  My internal network is called something like "mynet.lan" so
that it can never get confused with any outside DNS namespace.

*) All machines inside the firewall look at the internal DNS server so
that they can resolve correctly.  Any lookups for which the DNS server
is not authoritative gets sent out through the firewall.

This works flawlessly for me.

--
Thomas

--
fedora-list mailing list
[hidden email]
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Setting up DNS; Internet and Intranet questions

Christopher A. Williams-3
In reply to this post by Dan Thurman
On Tue, 2008-05-27 at 07:44 -0700, Daniel B. Thurman wrote:

> I have a setup as follows:
>
> 1) ISP->pass-thru-DSL-router->firewall-appliance w/ NAT support
> 2) NAT->DNS(Internet)
>
> Let's assume:
> a) ISP provided static IP is: 111.111.111.1
> b) Firewall allows access to DNS port 53
> c) Intranet addresses are: 10.0.0.x
>
> Q1: In setting up a DNS server for Internet,
>     is it required that I setup mydomain.com
>     zone for 111.111.111.x addresses or can I
>     use 10.0.0.x addresses since NAT is involved?
>
>     What I am trying to understand here, am I required
>     to setup seperate DNS servers, one for Internet
>     (for 111.111.111.x) and one for Intranet (for 10.0.0.x)?
>
> The trouble that I am running into is that I am not able
> to get reverse DNS to work even through I have PTR fields
> defined but they are of 10.0.0.x addresses and I am not
> seeing rDNS resolvers.

Interesting, so it's not just me then. I'm having trouble getting
anything on my DNS servers to resolve. I'm using the DNS configuration
tool to set up a master zone for a local domain (mydomain.local), yet
nothing is working. I've checked ports, firewall, and selinux settings.
Still no dice.

Ideas welcome - I'm not sure what I'm missing / doing wrong.

Cheers,

Chris


--
===========================
"If you are calm while all around you is chaos,
then you probably haven't fully understood
the magnitude of the situation."

--Unknown

--
fedora-list mailing list
[hidden email]
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Setting up DNS; Internet and Intranet questions

Dan Thurman
In reply to this post by Dan Thurman
Thomas Cameron wrote:
| On Tue, 2008-05-27 at 07:44 -0700, Daniel B. Thurman wrote:
| > I have a setup as follows:
| >
| > 1) ISP->pass-thru-DSL-router->firewall-appliance w/ NAT support
| > 2) NAT->DNS(Internet)
| >
| > Let's assume:
| > a) ISP provided static IP is: 111.111.111.1
| > b) Firewall allows access to DNS port 53
| > c) Intranet addresses are: 10.0.0.x
| >
| > Q1: In setting up a DNS server for Internet,
| >     is it required that I setup mydomain.com
| >     zone for 111.111.111.x addresses or can I
| >     use 10.0.0.x addresses since NAT is involved?
| >
| >     What I am trying to understand here, am I required
| >     to setup seperate DNS servers, one for Internet
| >     (for 111.111.111.x) and one for Intranet (for 10.0.0.x)?
| >
| > The trouble that I am running into is that I am not able
| > to get reverse DNS to work even through I have PTR fields
| > defined but they are of 10.0.0.x addresses and I am not
| > seeing rDNS resolvers.
|
| Where is your DNS server?  Is it behind the firewall?

Yes.
 
| Here's what I have:
|
| *) 1 Linux firewall connected to my ISP (public address) -
| uses iptables
| with SNAT so the internal private network can get to the Internet.
|
| *) 2 machines inside the firewall running forward and reverse
| DNS, DHCP
| and so on.  My internal network is called something like
| "mynet.lan" so
| that it can never get confused with any outside DNS namespace.
|
| *) All machines inside the firewall look at the internal DNS server so
| that they can resolve correctly.  Any lookups for which the DNS server
| is not authoritative gets sent out through the firewall.
|
| This works flawlessly for me.

What is not clear is, is your DNS setup using your private
IP addresses only - i.e., are you using your static-public
IP addresses or are you using your private IP addresses or
both?

I have a firewall-appliance (SonicWall), so I am trying to
setup things using it and looking for a basic solution.

I tried, for example, using the same "mydomain.com" zone,
adding both public and private ip addresses, which I found
it to be unmanagable, so I decided to drop the public ip
addresses in my "mydomain.com" zone, until I have a clear
understanding of the proper way of setting up for a home-based
DNS server, handling both public and private ip addresses. As
mentioned before, I had assumed that NAT can somehow can handle
public/private ip addresses translation and if so, rDNS should
work assuming that the PTR are properly defined even though
I am using only private IP addresses?

I have seen many different ways in setting up DNS servers,
the traditional way of having two seperate DNS servers,
one for the "outside (Internet)" and a one for the "inside
(Intranet)". The Internet DNS server is usually placed on the
DMZ port of your firewall-appliance, and the Intranet DNS
Server is placed behind the firewall. This seems to be a
waste of hardware, especially for a home based setup where
hardware costs are a little more expensive.

Any suggestions?

Dan

--
fedora-list mailing list
[hidden email]
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Setting up DNS; Internet and Intranet questions

Dan Thurman
In reply to this post by Dan Thurman
Christopher A. Williams wrote:
| On Tue, 2008-05-27 at 07:44 -0700, Daniel B. Thurman wrote:
| > I have a setup as follows:
| >
| > 1) ISP->pass-thru-DSL-router->firewall-appliance w/ NAT support
| > 2) NAT->DNS(Internet)
| >
| > Let's assume:
| > a) ISP provided static IP is: 111.111.111.1
| > b) Firewall allows access to DNS port 53
| > c) Intranet addresses are: 10.0.0.x
| >
| > Q1: In setting up a DNS server for Internet,
| >     is it required that I setup mydomain.com
| >     zone for 111.111.111.x addresses or can I
| >     use 10.0.0.x addresses since NAT is involved?
| >
| >     What I am trying to understand here, am I required
| >     to setup seperate DNS servers, one for Internet
| >     (for 111.111.111.x) and one for Intranet (for 10.0.0.x)?
| >
| > The trouble that I am running into is that I am not able
| > to get reverse DNS to work even through I have PTR fields
| > defined but they are of 10.0.0.x addresses and I am not
| > seeing rDNS resolvers.
|
| Interesting, so it's not just me then. I'm having trouble getting
| anything on my DNS servers to resolve. I'm using the DNS configuration
| tool to set up a master zone for a local domain (mydomain.local), yet
| nothing is working. I've checked ports, firewall, and selinux
| settings. Still no dice.
|
| Ideas welcome - I'm not sure what I'm missing / doing wrong.

yup!  Keep poking/asking questions here until your issues are
resolved! ;)

FWIW,
Dan

--
fedora-list mailing list
[hidden email]
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Setting up DNS; Internet and Intranet questions

David L. Gehrt
<snip>

For what it is  worth here is how my domain (inanity.net)  is set up.  I
have a DSL connection to  my firewall/gateway, a Linux box which running
Arno's firewall  which does  NAT.  This system  is also the  master name
server for the inanity.net zone and the ultimate default gateway for the
systems  inside the  firewall/gateway, The  firewall/gateway  machine is
dual  homed.  One address  is the  static from  SBCGlobal and  the other
interface is on the 192.168.2.0/24 internal network.

Inside the gateway is my mail hub, a network attached storage device, an
HP  network printer,  a WRT310n  wireless router  and a  WRT56g wireless
router.   All these  devices are  wired into  a Netgear  8  port switch.
These devices all have addresses on the 192.168.2.0/24 internal network.

There are three wireless lap tops, two laptops have 802.11b/g interfaces
and one  has an 802.11b/g/n.  The  WRT310n router joined  the mess early
this morning  when I got the  Talisman 1.3.5 firmware  installed on both
wireless routers, The internal  wireless address is 192.168.1.0/24.  but
each router uses a different block of DHCP addresses.

DNS on  this mess: The firewall gate  way as the master  DNS server runs
split DNS.  The split is  internal and external.  The external zone file
only has  an A record  for the firewall/gateway  machine.  It has  an MX
record for the  domain which directs the mail to  the gateway which then
shuffles it off to the mail machine.  I should have used port forwarding
but this was the  set up when I had a flat  and less DNS experience, say
around 1990.

There are two  external slave DNS servers.  These only  get the data for
the exterior zone.

Here  is the  guts  of  my named.conf  file.  I have  removed  a lot  of
extraneous  material,  logging  info,  comments,  but I  have  left  the
important  stuff.  Two points.   There are  three internal  DNS servers.
One each on the wireless routers, and one on the mail system.  These are
slave servers,  not caching only DNS  servers.  I now have  to deal with
DDNS, because  until a few  minutes ago my  entire DNS used  static IPs.
Now  the wireless lap  tops can  move freely  between the  routers, with
their separate DHCP address spaces.  There are many ways to handle this,
it is  just new  to me,  and I was  up all  night wrestling  with router
firmware upgrades.

Remember bind is worse than any English teacher.  Watch for the missing
';' and ALWAYS verify that named is running.  Any error will keep named
from running --logs and rndc(8) are your friends.

Oh, I almost  forgot -- serial numbers in zone  files MUST increase with
each  modification to  a zone  file  or the  new data  will not  replace
previous  data.   I ran  a  big  DNS  environment, 10000+  DNS  resource
records, 1 master and 2 slave  servers.  Zone file serial numbers are 10
characters long.  We  used YYYYMMDDNN.  YYYY 4 digit  year, MM month, DD
day and NN  changes per day.  Retired, I have never  needed 2 digits for
NN, but old habits...

dlg

David L.Gehrt
1865 Wilding Lane
San Luis Obispo, CA 93401
 
 
------------------------------------------------------------------------
options {
.
.
.
};
//
logging {
.
.
.
};
//
view "internal" {
        match-clients {
          127/8;
          192.168.2/24;
          192.168.1/24;
        };
        zone "." IN {
                type hint;
                file "named.ca";
        };
//
include "/etc/named.rfc1912.zones";
//
        zone "inanity.net" {
                type master;
                file "internal/inanity.net";
                allow-transfer {
                  192.168.2/24;
                  192.168.1/24;
                };
        };
//
        zone "1.168.192.in-addr.arpa." {
                type master;
                file "internal/rev1.inanity.net";
                allow-transfer {
                  192.168.2/24;
                  192.168.1/24;
                };
        };
//
        zone "2.168.192.in-addr.arpa." {
             type master;
                file "internal/rev2.inanity.net";
                allow-transfer {
                  192.168.2/24;
                  192.168.1/24;
                };
        };
//
};
//
view "external" {
        match-clients { any; };
        zone "inanity.net" {
                type master;
                file "external/inanity.net";
                allow-transfer {
                        xxx.xxx.xxx.x; // external name server
                        xxx.xxx.xxx.x; // external name server
                };
        };
};

------------------------------------------------------------------------

--
fedora-list mailing list
[hidden email]
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Setting up DNS; Internet and Intranet questions

Dan Thurman
In reply to this post by Dan Thurman
Daniel B. Thurman wrote"
| Christopher A. Williams wrote:
| | On Tue, 2008-05-27 at 07:44 -0700, Daniel B. Thurman wrote:
[snip!]

You might want to look at:
http://www.garykessler.net/library/dns.html

FWIW,
Dan

--
fedora-list mailing list
[hidden email]
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Setting up DNS; Internet and Intranet questions

Christopher A. Williams-3
On Tue, 2008-05-27 at 11:39 -0700, Daniel B. Thurman wrote:
> Daniel B. Thurman wrote"
> | Christopher A. Williams wrote:
> | | On Tue, 2008-05-27 at 07:44 -0700, Daniel B. Thurman wrote:
> [snip!]
>
> You might want to look at:
> http://www.garykessler.net/library/dns.html
>

Just for grins (and review) I re-read this primer. Unfortunately, it
didn't tell me anything I didn't already know. Our name servers are set
up properly, but we are still not able to get them to resolve anything.
The issue has to be somewhere else on the servers themselves...

--
===========================
"If you are calm while all around you is chaos,
then you probably haven't fully understood
the magnitude of the situation."

--Unknown

--
fedora-list mailing list
[hidden email]
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Loading...