hi..

Recently i haved install and configured bind9 on a debian etch machine, with two domains that are already resolving names on the server working perfectly fine, but not exactly in the way that i want to.

The thing is that i have configured the DNS server to resolv the incoming petition to a WAN IP as is described in the zone file below :

innova-ingenieria.org. IN SOA ns.innova-ingenieria.org. admin@innova-$
4
28800
3600
604800
38400 )

innova-ingenieria.org. IN NS ns.innova-ingenieria.org.
innova-ingenieria.org. IN MX 10 ns.innova-ingenieria.org.

www IN A 200.27.67.110
mta IN A 10.0.0.180
ns IN A 10.0.0.180


.... so my problem is that i dont want that the petition be delivered on the IP 200.27.67.110. I need that the redirection be made on a local machine (10.0.0.180 for example) and the contents of the site could be viewed from outside.

A friend told me that this can be done but only if my DNS server works as the name resolver of my LAN.

Whe are trying to reduce the numbers of WAN IP´s (right know we have several sites working on diferents WAN IP´s)

¿ Can somebody tell me how can i make this ?

Best regards.

Rockamchile

If I understand what you want to do correctly, your friend is completely wrong. You cannot have any private IP addresses in your zone file, that means anything beginning with 192.168, 172.16-172.31, 169.254, or 10. You cannot route to those addresses from the outside world. The only people an address like that will work for are those on your LAN. If you are setting up local DNS just for your home or office, then all of the addresses should be 10.0.0.180, and not use the public IP at all.

If you want private addresses for your LAN and public for the rest of the world, then you need to configure views in BIND.

Please check out http://www.dnsstuff.com/tools/dnsrep...ingenieria.org because you have many problems with your setup.

Peace,
JimBass

Thanks man....

Another thing.... can you have multiple sites with SSL certificates over a single webserver an just one WAN IP ?

The thing is that we have an IIS server (Microsoft) with a lot of websites but we cannot give more than one SSL per WAN IP. That means that no matter how much sites we have with SSL on the webserver, from outside always opens the first one that found and leave the other ones without access (Every time that we try to put https:// with any of the sites that are at that moment on the server with SSL certificates, it takes us to a same website)

We try to give virtual IP`s to each website and give each one of them a certificate but the problem goes on. Im not very sure, but i think i read once that it can only be one SSL certificate per WAN IP.
Its thats true, it means that i should have one certificate for each WAN IP (200.1.2.3 ==> SSL1, 200.1.2.4 ==> SSL 2, etc...) wich i think its not a very good idea.

We also try to give each site a diferent SSL port and for a time it works fine. The only problem was that the users must put the number of the port after the name of the site (example : https://www.myproblem.com:444) and with many users working behind firewalls outside the company, they couldnt reach the sites because their network administrator only allow SSL trafic on the standar 443 port.

I was thinking in use Apache to redirect some of the sites and use SSL Tunnel, but im still have a lots of doubts of how to use it.

Can you help me with this ?

Do i need more tools to do this or do you know a better way to do it ?

Thanks

Rockmanchile

First and foremost, this new question has nothing to do with the previous one, and should not be in the same thread. Think about the next person searching for this same question (which you obviously didn't do). If they search for anything with DNS, or SSL, they end up with this thread. What you should have done was simply started a new thread (or even better, used the search feature here or at all powerful google) and you would have found your answer.

No, you can't run multiple SSL sites on one IP address. That is not the fault of IIS, or apache, that is how SSL (https) is designed. You can do it with different ports, but you stated you don't want to do that.

Peace,
JimBass