Creating a bogus DNS domain inside private address range network
Like most people with high speed internet I have only one real, routable IP address. I have a gateway/firewall/masquerade machine "in front of" all the rest of the computers in my LAN. This firewall/gateway also does caching DNS and dhcpd for the internal machines.
The idea is to create a bogus DNS domain like, "hey.you" for my LAN so I can experiment with stuff like LDAP, which requires fully qualified domain names and working DNS. I know this setup is possible. Had such a fake/internal DNS domain set up years ago with Bind 8. I can't find any trace of it in my backups. Do any of you have such a setup running now or know of a good How-To? Thanks. |
There is nothing special to do to add a domain in bind, either it is real or bogus.
Just add the appropriate entry in /etc/named.conf, create the zone file of the new domain and use your dns ip address in /etc/resolv.conf of the clients. |
Although I think it's too long (11 characters), & would prefer ".lan"; I believe ".localdomain" is reserved for this purpose. Or did I miss your point?
|
Quote:
Quote:
While every computer on the same LAN could be a member of "this network" [aka, localdomain], one workstation would not know a name assigned to another workstation on the same LAN. The other option is to have each host have its own /etc/hosts file and use static IP addresses. There is some way that DHCP and dynamic IP addresses interact with DNS to create unique names on-the-fly that is known to the local name servers. Would love to learn how to make that work so I've never used the feature. Cheers, ~~~ 0;-Dan |
Thanks for the reply.
I have named almost the way I want it now. From my workstation I can do "host skullery.oplz.lan" and reliably receive the right IP address as well as any CNAME I have applied. What I can't get is the one thing I most want. I can't do "ssh skullery". I can go "ssh skullery.oplz.lan" and login but I can't login using the unqualified host name. My resolv.conf has this in it: domain oplz.yo search oplz.yo nameserver 192.168.10.42 Perhaps I should take the machines with A records in DNS out of my dhcpd.conf file. However the IP and hostnames in the dhscpd.conf -do- match what I have in DNS, so I'm not sure how dhcpd would get in the way. I do have option domain-name "oplz.yo"; and option domain-name-servers 192.168.10.42; in my dhcpd.conf file. |
Quote:
Code:
domain oplz.lan QUESTION: If you have it mostly working, how did you deal with personal, family and visitor DHCP hosts and your DNS lists? Are you using MAC-matching {my term} to assign specific IP to specific MAC addresses? QUESTION: Is there any chance that you might share what you did in ways that (a)protect your security, and (b) enable others to try something similar ~~~ 0;-Dan |
In fact I can resolve hosts using only their hostnames uisng /usr/bin/host and dig but from ssh I need to use the fqdn. How does this make sense?
|
oh. I changed it.
I used .yo instead of .lan across the entire network.
Yes, I do use MAC addresses in dhcpd.conf. |
Here is my zone file. One thing none of the docs talk about is the significance of "hostmaster" in this config. Is that a required thing? Seems to always be present. Is there something magical about it? Could I change hostmaster to some other string?
---------------------------------------------------------------------------------------------------- $ORIGIN nplz.yo. $TTL 1D @ IN SOA ns.oplz.yo. hostmaster.oplz.yo. ( 2009101511 ; serial, todays date + todays serial # 8H ; refresh, seconds 2H ; retry, seconds 4W ; expire, seconds 1D ) ; minimum, seconds NS ns zucchini CNAME ns 1 PTR localhost. localhost A 127.0.0.1 ns A 192.169.10.42 sparc A 192.168.10.1 jdn A 192.168.10.53 Here is my named.conf: ----------------------------------------------------------------------------------------------------- include "/etc/bind/rndc.key"; zone "0.0.127.in-addr.arpa" { type master; file "pz/127.0.0"; }; zone "oplz.yo" IN { type master; file "/etc/bind/pz/oplz.yo.db"; #allow-transfer { none; }; #allow-update { none; }; }; zone "10.168.192.in-addr.arpa" { type master; file "/etc/bind/pz/rev.10.168.192.in-addr.arpa"; }; |
Quote:
Take a look into man ssh_config. My quick scan revealed that there are all sorts of pattern matching and other processing that can happen. {grin}I'll leave that exercise to the student.{/grin} |
$ORIGIN nplz.yo.
Should and does read, "$ORIGIN oplz.yo." I'm not using my real (fake) domain in this post. Just assume my files are consistantly set up for oplz.yo. |
Quote:
When you have visitors, I suspect that they play standard DHCP and get the address of your in-house name server. If they wish to play with your resources {blush} they use something.oplz.yo and all is well. Do I understand what you are doing? Also, do you play with win-dose workstations at all? Do they play well with others using your scheme? It seems to me that redmond-DNS is not quite the same as for the rest of us. Cheers, ~~~ 0;-Dan |
A linux server (not the DNS server) does dhcpd for my lan. I don't trust a "black box."
I have a range of reserved IP addresses in dhcpd.conf and a block of freely assignable ones. There is no Windows machine on my LAN. None. You said, "they use something.oplz.yo and all is well." No. Visitors only get an IP address. |
I just realized I had a typo in the IP address for the machine I was trying to ssh into. Typo in the CNAME in the zone file. Now I can ssh in, since I fixed the typo. Was not an SSH issue.
When I did the host command (and thought my DNS config was fine) my eye did not catch the bad IP address returned. I was getting 192.169.10.42 and could not notice the 169 for the longest time. We tend to correct stuff (like spelling errors) without even knowing it. |
All times are GMT -5. The time now is 07:20 AM. |