Bind/Apache/DMZ

metallica1973 · 08-11-2008, 10:20 PM

I have a web server hosting web pages on my DMZ. My Domain registrar is doing the DNS stuff for the external stuff and I am controlling the DNS stuff locally(caching). My issue that I am having is that my external users can see my web pages perfectly fine but my internal users cannot see my web pages from the inside. I can get to web server via ssh and am not having an issue actually getting to it but rather only Apache and I suspect that it has to due with DNS. My DMZ is on a 192.168.2.0 network. What kind of entry would I need to add my web server. Security is an issue so keep that in mind. Here is my /etc/named.conf

PHP Code:


			
acl test.com { 192.168.3.0; 127.0/8; };



options {

        listen-on port 53 { 127.0.0.1; 192.168.3.1; };

        directory       "/var/named";

        dump-file       "/var/named/data/cache_dump.db";

        statistics-file "/var/named/data/named_stats.txt";

        memstatistics-file "/var/named/data/named_mem_stats.txt";

//      query-source    port 53;

//      query-source-v6 port 53;

        allow-query     { 127.0.0.1; 192.168.3.0/27;  };

        notify no; 

        forwarders      { 4.2.2.5; 4.2.2.6;  };



};

logging {

        channel default_debug {

                file "data/named.run";

                severity dynamic;

        };

};



view "localhost_resolver"

 {

        match-clients      { localhost; 192.168.3.0/27; };

        match-destinations { localhost; 192.168.3.0/27;  };

        recursion yes;

        include "/etc/named.rfc1912.zones";



};

Here is my zone file - test.com

PHP Code:


			


$TTL 1D

;

;       Anythime you make a change to the domain , change the "serial setting below. Here is the format "YYYYMMDDI"

;

test.com.                    IN     SOA     server.test.com. admin.test.com. (



                           200612291 ; serial

                           2H        ; refresh

                           5M        ; retry

                           1W        ; retry

                           1M        ; expire

                        )

 (NS)



@                       IN      NS           server.test.com.









;       Our hostnames in alphabetical order



server.test.com.                              IN  A      192.168.3.1

nameserver                                      IN  CNAME  server2.test.com.

server3.test.com.                              IN  A      192.168.3.5

client1.test.com.                         IN  A      192.168.3.22

client2.test.com.                           IN  A      192.168.3.30

Mr. C. · 08-11-2008, 10:55 PM

You essentially have a split DNS, with the slight modification that an external NS controls public name lookups, but your internal NS controls LAN lookups.

You need to create LAN IP entries for each host you want accessible by name. This would be a series of A records, and the equivalent PTR records.

Then, all your clients should be using your internal caching DNS server; give out the address either via DHCP, or manually configure internal clients.

Add your test.com as a zone in your named.conf file, or it won't be seen.

Your serial number looks very old. Updated it with today's date plus and a 2 digit number (eg. 2008081101). Always update the number when you change the zone files.

chort · 08-11-2008, 11:49 PM

PHP Code:


			
view "localhost_resolver" 
 { 
        match-clients      { localhost; 192.168.3.0/27; }; 
        match-destinations { localhost; 192.168.3.0/27;  }; 
        recursion yes; 
        include "/etc/named.rfc1912.zones";
 
        zone "test.com" {
            type master;
            file "path/to/zonefile";
        };

};

metallica1973 · 08-12-2008, 12:41 AM

PHP Code:


			
view "localhost_resolver" 

 { 

        match-clients      { localhost; 192.168.3.0/27; }; 

        match-destinations { localhost; 192.168.3.0/27;  }; 

        recursion yes; 

        include "/etc/named.rfc1912.zones";

 

        zone "test.com" {

            type master;

            file "path/to/zonefile";

        };



};

the DMZ is a 192.168.2.0/27 network so would it look something like this:

PHP Code:


			
view "localhost_resolver" 

 { 

        match-clients      { localhost; 192.168.2.0/27; 192.168.3.0/27; }; 

        match-destinations { localhost; 192.168.2.0/27; 192.168.3.0/27;  }; 

        recursion yes; 

        include "/etc/named.rfc1912.zones";

 

        zone "test.com" {

            type master;

            file "path/to/zonefile";

        };



};

chort · 08-12-2008, 01:43 AM

I guess, but really localhost_resolver view is just supposed to be for your loopback adaptor (127.0.0.1). You should use views called "internal" and "external" (or something similar) to specify other networks to match.

PHP Code:


			
view localhost_resolver {
    match-clients { 127.0.0.1; ::1; };
    ...
}

view internal {
    match-clients { 192.168.2.0/27; 192.168.3.0/27; };
    ...
};

view external {
    match-clients { !127.0.0.1; !::1; !192.168.2.0/27; !192.168.3.0/27; any; };
    ...
};

By the way, why on Earth are you using /27 netmasks? There's no need to conserve internal IPs, why not just use the whole /24?

PS You would put the same code for test.com zone in both localhost_resolver and internal. In external you would deny query and recursion, or just not define an external view at all (since you're not hosting the external records).

metallica1973 · 08-12-2008, 10:33 AM

I will check into. Many thanks