Bind, DNS, Shorewall question

aclarke · 05-23-2007, 06:51 PM

Hello. I just bought a new domain, say example.com, to point to my home network. I have an old computer running Debian that I use as my router/firewall box in front of all my other computers here. I'd like different subdomains of example.com to be forwarded to different computers on my network. For example, if someone goes to computer1.example.com, I want that to go to computer1. computer2.example.com would go to computer2. This could be ssh, ftp, telnet, http, or whatever I decide to let through my network.

I also would want aliases, so I could have http://client1demo.example.com going through to a demo site I've set up for client 1 on some computer.

I've had shorewall and iptables set up for a year or so, running successfully. I just set up bind yesterday, but this is where my knowledge ends. I THINK I have to use my nameserver here, say ns1.example.com, as the nameserver I give to my registrar, right? Currently I'm using easydns.net for the name servers. If I understand correctly what I need to do, I need to scrap using easydns.net and use my own nameservers.

I also read that I need at least two nameservers. Can I use the same nameserver for both? For instance put a slave zone on my nameserver to my master zone, and then have ns1.example.com and ns2.example.com point to the same name server on the same internal IP on my network? I know this isn't recommended, but I also don't really care about this domain right now and am using it as a learning experience. Once I get bind set up correctly and working on one computer I can put it on another.

Or, am I going about this all the wrong way? Is there a way to set this up in shorewall? So basically IPTables reads the domain name that's been requested and forwards it based on that? I haven't figure out any way to do that.

Thanks VERY MUCH for any help on this.
- Andrew.

aclarke · 05-24-2007, 08:50 AM

I've managed to get a little further ahead, and I'm hoping maybe someone can help me figure out where I'm going wrong now.

I found out that everydns.net will provide secondary nameservers that propagate off my primary nameserver. I think I have everything set up correctly on my end, but when I try to set things up at everydns.net I get this error:

zone transfer failed: master nameserver does not give 64.158.219.3 permission for AXFR - please refer to http://faq.everybox.com/secondary-do...t-IP-for-AXFRs

I've added in allow-transfer { any; }; where I think it ought to be in named.conf but things still aren't working for me. I'll enclose my files and maybe someone can see where I'm going wrong:

named.conf

Code:

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
// structure of BIND configuration files in Debian, *BEFORE* you customize 
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";

// prime the server with knowledge of the root servers
zone "." {
	type hint;
	file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
	type master;
	file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
	type master;
	file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
	type master;
	file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
	type master;
	file "/etc/bind/db.255";
};

// zone "com" { type delegation-only; };
// zone "net" { type delegation-only; };

// From the release notes:
//  Because many of our users are uncomfortable receiving undelegated answers
//  from root or top level domains, other than a few for whom that behaviour
//  has been trusted and expected for quite some length of time, we have now
//  introduced the "root-delegations-only" feature which applies delegation-only
//  logic to all top level domains, and to the root domain.  An exception list
//  should be specified, including "MUSEUM" and "DE", and any other top level
//  domains from whom undelegated responses are expected and trusted.
// root-delegation-only exclude { "DE"; "MUSEUM"; };

include "/etc/bind/named.conf.local";

named.conf.options

Code:

options {
	directory "/var/cache/bind";

	// If there is a firewall between you and nameservers you want
	// to talk to, you might need to uncomment the query-source
	// directive below.  Previous versions of BIND always asked
	// questions using port 53, but BIND 8.1 and later use an unprivileged
	// port by default.

	query-source address * port 53;

	// If your ISP provided one or more IP addresses for stable 
	// nameservers, you probably want to use them as forwarders.  
	// Uncomment the following block, and insert the addresses replacing 
	// the all-0's placeholder.

	forwarders {
		207.179.130.2;
		207.179.130.3;
	};

	auth-nxdomain no;    # conform to RFC1035
	listen-on-v6 { any; };
	allow-transfer { any; };
};

named.conf.local

Code:

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

zone "clarke.homeip.net" {
	type master;
	file "/etc/bind/net.homeip.clarke.db";
};

zone "andrewclarke.ca" {
	type master;
	file "/etc/bind/ca.andrewclarke.db";
	allow-transfer { any; };
};

zone "16.168.192.in-addr.arpa" {
	type master;
	file "/etc/bind/192.rev";
};

ca.andrewclarke.db

Code:

;
; BIND data file for andrewclarke.ca
;
@	IN	SOA	andrewclarke.ca.	root.andrewclarke.ca.	(
	2007052401	; Serial
	604800	; Refresh
	86400	; Retry
	2419200	; Expire
	604800	)	; Default TTL

	IN	NS	ns.andrewclarke.ca.
	IN	MX	10	mail.andrewclarke.ca.

	www	IN	A	192.168.16.2
	ns	IN	A	192.168.16.1
	mail	IN	A	192.168.16.17

Thank you very much for any pointers anyone might have,
- Andrew.