FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 05-27-2008, 02:44 PM
"Daniel B. Thurman"
 
Default Setting up DNS; Internet and Intranet questions

I have a setup as follows:

1) ISP->pass-thru-DSL-router->firewall-appliance w/ NAT support
2) NAT->DNS(Internet)

Let's assume:
a) ISP provided static IP is: 111.111.111.1
b) Firewall allows access to DNS port 53
c) Intranet addresses are: 10.0.0.x

Q1: In setting up a DNS server for Internet,
is it required that I setup mydomain.com
zone for 111.111.111.x addresses or can I
use 10.0.0.x addresses since NAT is involved?

What I am trying to understand here, am I required
to setup seperate DNS servers, one for Internet
(for 111.111.111.x) and one for Intranet (for 10.0.0.x)?

The trouble that I am running into is that I am not able
to get reverse DNS to work even through I have PTR fields
defined but they are of 10.0.0.x addresses and I am not
seeing rDNS resolvers.

Thanks!
Dan

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 05-27-2008, 03:17 PM
"Christopher A. Williams"
 
Default Setting up DNS; Internet and Intranet questions

On Tue, 2008-05-27 at 07:44 -0700, Daniel B. Thurman wrote:
> I have a setup as follows:
>
> 1) ISP->pass-thru-DSL-router->firewall-appliance w/ NAT support
> 2) NAT->DNS(Internet)
>
> Let's assume:
> a) ISP provided static IP is: 111.111.111.1
> b) Firewall allows access to DNS port 53
> c) Intranet addresses are: 10.0.0.x
>
> Q1: In setting up a DNS server for Internet,
> is it required that I setup mydomain.com
> zone for 111.111.111.x addresses or can I
> use 10.0.0.x addresses since NAT is involved?
>
> What I am trying to understand here, am I required
> to setup seperate DNS servers, one for Internet
> (for 111.111.111.x) and one for Intranet (for 10.0.0.x)?
>
> The trouble that I am running into is that I am not able
> to get reverse DNS to work even through I have PTR fields
> defined but they are of 10.0.0.x addresses and I am not
> seeing rDNS resolvers.

Interesting, so it's not just me then. I'm having trouble getting
anything on my DNS servers to resolve. I'm using the DNS configuration
tool to set up a master zone for a local domain (mydomain.local), yet
nothing is working. I've checked ports, firewall, and selinux settings.
Still no dice.

Ideas welcome - I'm not sure what I'm missing / doing wrong.

Cheers,

Chris


--
===========================
"If you are calm while all around you is chaos,
then you probably haven't fully understood
the magnitude of the situation."

--Unknown

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 05-27-2008, 03:18 PM
Thomas Cameron
 
Default Setting up DNS; Internet and Intranet questions

On Tue, 2008-05-27 at 07:44 -0700, Daniel B. Thurman wrote:
> I have a setup as follows:
>
> 1) ISP->pass-thru-DSL-router->firewall-appliance w/ NAT support
> 2) NAT->DNS(Internet)
>
> Let's assume:
> a) ISP provided static IP is: 111.111.111.1
> b) Firewall allows access to DNS port 53
> c) Intranet addresses are: 10.0.0.x
>
> Q1: In setting up a DNS server for Internet,
> is it required that I setup mydomain.com
> zone for 111.111.111.x addresses or can I
> use 10.0.0.x addresses since NAT is involved?
>
> What I am trying to understand here, am I required
> to setup seperate DNS servers, one for Internet
> (for 111.111.111.x) and one for Intranet (for 10.0.0.x)?
>
> The trouble that I am running into is that I am not able
> to get reverse DNS to work even through I have PTR fields
> defined but they are of 10.0.0.x addresses and I am not
> seeing rDNS resolvers.

Where is your DNS server? Is it behind the firewall?

Here's what I have:

*) 1 Linux firewall connected to my ISP (public address) - uses iptables
with SNAT so the internal private network can get to the Internet.

*) 2 machines inside the firewall running forward and reverse DNS, DHCP
and so on. My internal network is called something like "mynet.lan" so
that it can never get confused with any outside DNS namespace.

*) All machines inside the firewall look at the internal DNS server so
that they can resolve correctly. Any lookups for which the DNS server
is not authoritative gets sent out through the firewall.

This works flawlessly for me.

--
Thomas

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 05-27-2008, 03:49 PM
"Daniel B. Thurman"
 
Default Setting up DNS; Internet and Intranet questions

Thomas Cameron wrote:
| On Tue, 2008-05-27 at 07:44 -0700, Daniel B. Thurman wrote:
| > I have a setup as follows:
| >
| > 1) ISP->pass-thru-DSL-router->firewall-appliance w/ NAT support
| > 2) NAT->DNS(Internet)
| >
| > Let's assume:
| > a) ISP provided static IP is: 111.111.111.1
| > b) Firewall allows access to DNS port 53
| > c) Intranet addresses are: 10.0.0.x
| >
| > Q1: In setting up a DNS server for Internet,
| > is it required that I setup mydomain.com
| > zone for 111.111.111.x addresses or can I
| > use 10.0.0.x addresses since NAT is involved?
| >
| > What I am trying to understand here, am I required
| > to setup seperate DNS servers, one for Internet
| > (for 111.111.111.x) and one for Intranet (for 10.0.0.x)?
| >
| > The trouble that I am running into is that I am not able
| > to get reverse DNS to work even through I have PTR fields
| > defined but they are of 10.0.0.x addresses and I am not
| > seeing rDNS resolvers.
|
| Where is your DNS server? Is it behind the firewall?

Yes.

| Here's what I have:
|
| *) 1 Linux firewall connected to my ISP (public address) -
| uses iptables
| with SNAT so the internal private network can get to the Internet.
|
| *) 2 machines inside the firewall running forward and reverse
| DNS, DHCP
| and so on. My internal network is called something like
| "mynet.lan" so
| that it can never get confused with any outside DNS namespace.
|
| *) All machines inside the firewall look at the internal DNS server so
| that they can resolve correctly. Any lookups for which the DNS server
| is not authoritative gets sent out through the firewall.
|
| This works flawlessly for me.

What is not clear is, is your DNS setup using your private
IP addresses only - i.e., are you using your static-public
IP addresses or are you using your private IP addresses or
both?

I have a firewall-appliance (SonicWall), so I am trying to
setup things using it and looking for a basic solution.

I tried, for example, using the same "mydomain.com" zone,
adding both public and private ip addresses, which I found
it to be unmanagable, so I decided to drop the public ip
addresses in my "mydomain.com" zone, until I have a clear
understanding of the proper way of setting up for a home-based
DNS server, handling both public and private ip addresses. As
mentioned before, I had assumed that NAT can somehow can handle
public/private ip addresses translation and if so, rDNS should
work assuming that the PTR are properly defined even though
I am using only private IP addresses?

I have seen many different ways in setting up DNS servers,
the traditional way of having two seperate DNS servers,
one for the "outside (Internet)" and a one for the "inside
(Intranet)". The Internet DNS server is usually placed on the
DMZ port of your firewall-appliance, and the Intranet DNS
Server is placed behind the firewall. This seems to be a
waste of hardware, especially for a home based setup where
hardware costs are a little more expensive.

Any suggestions?

Dan

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 05-27-2008, 03:51 PM
"Daniel B. Thurman"
 
Default Setting up DNS; Internet and Intranet questions

Christopher A. Williams wrote:
| On Tue, 2008-05-27 at 07:44 -0700, Daniel B. Thurman wrote:
| > I have a setup as follows:
| >
| > 1) ISP->pass-thru-DSL-router->firewall-appliance w/ NAT support
| > 2) NAT->DNS(Internet)
| >
| > Let's assume:
| > a) ISP provided static IP is: 111.111.111.1
| > b) Firewall allows access to DNS port 53
| > c) Intranet addresses are: 10.0.0.x
| >
| > Q1: In setting up a DNS server for Internet,
| > is it required that I setup mydomain.com
| > zone for 111.111.111.x addresses or can I
| > use 10.0.0.x addresses since NAT is involved?
| >
| > What I am trying to understand here, am I required
| > to setup seperate DNS servers, one for Internet
| > (for 111.111.111.x) and one for Intranet (for 10.0.0.x)?
| >
| > The trouble that I am running into is that I am not able
| > to get reverse DNS to work even through I have PTR fields
| > defined but they are of 10.0.0.x addresses and I am not
| > seeing rDNS resolvers.
|
| Interesting, so it's not just me then. I'm having trouble getting
| anything on my DNS servers to resolve. I'm using the DNS configuration
| tool to set up a master zone for a local domain (mydomain.local), yet
| nothing is working. I've checked ports, firewall, and selinux
| settings. Still no dice.
|
| Ideas welcome - I'm not sure what I'm missing / doing wrong.

yup! Keep poking/asking questions here until your issues are
resolved!

FWIW,
Dan

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 05-27-2008, 06:01 PM
"David L. Gehrt"
 
Default Setting up DNS; Internet and Intranet questions

<snip>

For what it is worth here is how my domain (inanity.net) is set up. I
have a DSL connection to my firewall/gateway, a Linux box which running
Arno's firewall which does NAT. This system is also the master name
server for the inanity.net zone and the ultimate default gateway for the
systems inside the firewall/gateway, The firewall/gateway machine is
dual homed. One address is the static from SBCGlobal and the other
interface is on the 192.168.2.0/24 internal network.

Inside the gateway is my mail hub, a network attached storage device, an
HP network printer, a WRT310n wireless router and a WRT56g wireless
router. All these devices are wired into a Netgear 8 port switch.
These devices all have addresses on the 192.168.2.0/24 internal network.

There are three wireless lap tops, two laptops have 802.11b/g interfaces
and one has an 802.11b/g/n. The WRT310n router joined the mess early
this morning when I got the Talisman 1.3.5 firmware installed on both
wireless routers, The internal wireless address is 192.168.1.0/24. but
each router uses a different block of DHCP addresses.

DNS on this mess: The firewall gate way as the master DNS server runs
split DNS. The split is internal and external. The external zone file
only has an A record for the firewall/gateway machine. It has an MX
record for the domain which directs the mail to the gateway which then
shuffles it off to the mail machine. I should have used port forwarding
but this was the set up when I had a flat and less DNS experience, say
around 1990.

There are two external slave DNS servers. These only get the data for
the exterior zone.

Here is the guts of my named.conf file. I have removed a lot of
extraneous material, logging info, comments, but I have left the
important stuff. Two points. There are three internal DNS servers.
One each on the wireless routers, and one on the mail system. These are
slave servers, not caching only DNS servers. I now have to deal with
DDNS, because until a few minutes ago my entire DNS used static IPs.
Now the wireless lap tops can move freely between the routers, with
their separate DHCP address spaces. There are many ways to handle this,
it is just new to me, and I was up all night wrestling with router
firmware upgrades.

Remember bind is worse than any English teacher. Watch for the missing
';' and ALWAYS verify that named is running. Any error will keep named
from running --logs and rndc(8) are your friends.

Oh, I almost forgot -- serial numbers in zone files MUST increase with
each modification to a zone file or the new data will not replace
previous data. I ran a big DNS environment, 10000+ DNS resource
records, 1 master and 2 slave servers. Zone file serial numbers are 10
characters long. We used YYYYMMDDNN. YYYY 4 digit year, MM month, DD
day and NN changes per day. Retired, I have never needed 2 digits for
NN, but old habits...

dlg

David L.Gehrt
1865 Wilding Lane
San Luis Obispo, CA 93401


------------------------------------------------------------------------
options {
.
.
.
};
//
logging {
.
.
.
};
//
view "internal" {
match-clients {
127/8;
192.168.2/24;
192.168.1/24;
};
zone "." IN {
type hint;
file "named.ca";
};
//
include "/etc/named.rfc1912.zones";
//
zone "inanity.net" {
type master;
file "internal/inanity.net";
allow-transfer {
192.168.2/24;
192.168.1/24;
};
};
//
zone "1.168.192.in-addr.arpa." {
type master;
file "internal/rev1.inanity.net";
allow-transfer {
192.168.2/24;
192.168.1/24;
};
};
//
zone "2.168.192.in-addr.arpa." {
type master;
file "internal/rev2.inanity.net";
allow-transfer {
192.168.2/24;
192.168.1/24;
};
};
//
};
//
view "external" {
match-clients { any; };
zone "inanity.net" {
type master;
file "external/inanity.net";
allow-transfer {
xxx.xxx.xxx.x; // external name server
xxx.xxx.xxx.x; // external name server
};
};
};

------------------------------------------------------------------------

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 05-27-2008, 06:39 PM
"Daniel B. Thurman"
 
Default Setting up DNS; Internet and Intranet questions

Daniel B. Thurman wrote"
| Christopher A. Williams wrote:
| | On Tue, 2008-05-27 at 07:44 -0700, Daniel B. Thurman wrote:
[snip!]

You might want to look at:
http://www.garykessler.net/library/dns.html

FWIW,
Dan

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 05-28-2008, 04:22 PM
"Christopher A. Williams"
 
Default Setting up DNS; Internet and Intranet questions

On Tue, 2008-05-27 at 11:39 -0700, Daniel B. Thurman wrote:
> Daniel B. Thurman wrote"
> | Christopher A. Williams wrote:
> | | On Tue, 2008-05-27 at 07:44 -0700, Daniel B. Thurman wrote:
> [snip!]
>
> You might want to look at:
> http://www.garykessler.net/library/dns.html
>

Just for grins (and review) I re-read this primer. Unfortunately, it
didn't tell me anything I didn't already know. Our name servers are set
up properly, but we are still not able to get them to resolve anything.
The issue has to be somewhere else on the servers themselves...

--
===========================
"If you are calm while all around you is chaos,
then you probably haven't fully understood
the magnitude of the situation."

--Unknown

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 

Thread Tools




All times are GMT. The time now is 10:15 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org