LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Resolving DNS for two separate networks (http://www.linuxquestions.org/questions/linux-networking-3/resolving-dns-for-two-separate-networks-923478/)

Teleute 01-12-2012 01:02 PM

Resolving DNS for two separate networks
 
We have two networks here - one that is connected to the internet (let's say internet.com - obvs not real name), and one that is not (say private.com). I have an RHEL box with two NICs, one connected to each network. Everything works fine when using IP addresses, but it's when we need DNS that there's an issue. If I put dns.internet.com first in resolv.conf, then people can resolve things on the internet, but nothing on the private network. If I put dns.private.com first, then it's the reverse - we can resolve things on the private network, but not the internet.

(I can't put an authoritative entry on dns.private.com pointing to the internet - dns.private.com has no internet connection, and therefore Windows DNS can't confirm that entry exists and it won't allow it.)

Are there any other ways I can get it so both internal and external addresses will resolve properly? (Short of putting hundreds of entries in the hosts file?) Basically, I'd like it to query the first entry in resolv.conf, and if it doesn't find the address, query the second entry. My understanding (and certainly the behaviour I'm seeing) is that it only fails over to the second entry if the first DNS server just flat out can't be found, rather than just if it returns an answer of "can't find it".

Thanks!

T3RM1NVT0R 01-12-2012 02:14 PM

@ Reply
 
Hi Teleute,

Let us know the answer of the following queries:

1. Which server (OS) host dns.internet.com zone?
2. Which server (OS) host dns.private.com zone?
3. Is there a connection between servers hosting both of these zones? If yes, how?
4. How clients side DNS setting is configured?

castorw 01-12-2012 03:00 PM

Hi,

imo there are few solutions:

1) Ensure at least UDP connection on that private DNS server and make the DNS server forward to external DNS.
2) If isn't option 1 possible, create a DNS server forwarding primarily to the private DNS and secondarily to internet DNS on that box, where you have both connections. In this case you should configure low server fail time so, when private server doesn't respond to DNS query, the forwarder will quickly continue querying internet DNS server.

There are also other options, but these were the first I thought of.

Teleute 01-12-2012 06:07 PM

Quote:

Originally Posted by T3RM1NVT0R (Post 4573028)
Hi Teleute,

Let us know the answer of the following queries:

1. Which server (OS) host dns.internet.com zone?
2. Which server (OS) host dns.private.com zone?
3. Is there a connection between servers hosting both of these zones? If yes, how?
4. How clients side DNS setting is configured?

1. Windows Server 2003 R2
2. Windows Server 2008 R2
3. No
4. On this RHEL 6.1 machine, it's just in resolv.conf as:
nameserver <ip of dns.private.com>
nameserver <ip of dns.internet.com>

Teleute 01-12-2012 06:09 PM

Quote:

Originally Posted by castorw (Post 4573055)
Hi,

imo there are few solutions:

1) Ensure at least UDP connection on that private DNS server and make the DNS server forward to external DNS.
2) If isn't option 1 possible, create a DNS server forwarding primarily to the private DNS and secondarily to internet DNS on that box, where you have both connections. In this case you should configure low server fail time so, when private server doesn't respond to DNS query, the forwarder will quickly continue querying internet DNS server.

There are also other options, but these were the first I thought of.

#1 is definitely not an option, unfortunately.
#2 - so I'd make this particular client its own DNS server, and then in that DNS server I'd put the auth entries for the two main DNS servers? Hmmm....I hadn't thought about that. I'd prefer something that doesn't involve adding a DNS server, but I suppose it's a possibility if there's absolutely nothing else. Thanks!

castorw 01-12-2012 06:21 PM

Quote:

Originally Posted by Teleute (Post 4573163)
#2 - so I'd make this particular client its own DNS server, and then in that DNS server I'd put the auth entries for the two main DNS servers? Hmmm....I hadn't thought about that. I'd prefer something that doesn't involve adding a DNS server, but I suppose it's a possibility if there's absolutely nothing else. Thanks!

So let me add two more possible solutions.
1) Disable forwarding on private DNS server - this should enforce server to stop trying searching outside local database and respond negatively to request. This may work and after few milliseconds your box should try another DNS server in list.

2) According to this http://linux.die.net/man/5/resolv.conf
you can adjust per-server timeout. As I described in option #2 in my first reply. This can solve your problem with little increase to loading time.
Set timeout to minimal possible value (IDK whether decimal numbers are allowed) in which private DNS server is able to respond.
This forces your box to try secondary DNS server (internet DNS server) after private DNS server is unable to respond in specified timeout value. This is more workaround than solution but you can give it a try if other options fail.

RobertEachus 01-13-2012 12:52 PM

Here is a walk though for how I would set up the DNS server on the local host so it can do internal and external look ups. This is the cleanest solution I can come up with. 9 Steps should take less than 1 hour even if you have never worked with bind before.

1. Install named and set it to start automatically.
Code:

su -
yum -y install bind
chkconfig --levels 235 named on

2. In the global options set DNS forwarders as the internet servers, and comment out allow-query (we can secure it by having named only listen on the loopback see the next step.)
Example config to make it easier you will need this in /etc/named.conf;
http://www.zytrax.com/books/dns/ch6/#forwarding
3. Set the listen on statement to only listen on the loop back interface. This will do a great job securing the DNS server. The following code goes inside the options block.
Code:

listen-on {127.0.0.1};
4.Comment out or remove the following sections (just trying to make things easier here the ISP's DNS servers should already have them, this way you won't need to create the two zone files);
Code:

// required local host domain
zone "localhost" in{
  type master;
  file "pri.localhost";
  allow-update{none;};
};
// localhost reverse map
zone "0.0.127.in-addr.arpa" in{
  type master;
  file "localhost.rev";
  allow-update{none;};
};

5. Set up a special override for forwarding your internal domain or domains to your internal DNS server(s). Example:
Code:

// zone section fragment of named.conf
zone "example.com" IN {
        type forward;
        forwarders {10.0.0.1; 10.0.0.2;};
}

6. Start the service
Code:

service named start
7. Test some DNS lookups with "dig @127.0.0.1 testname.com"
8. If your happy change the resolv.conf by removeing all of the nameserver clauses with;
Code:

nameserver 127.0.0.1
9. Make sure the change takes, with the following command there may be a very brief disruption.
Code:

service network restart

T3RM1NVT0R 01-13-2012 03:40 PM

@ Reply
 
@ Teleute,

You can specify the DNS to be used by different interfaces. This can be achived by running system-config-network or launching NetworkManager from GUI.

You can specify which interface will use which DNS server and I think that should fix the problem that you are facing.

Remember that you specify only 1 DNS server per interface. For internal interface only define private.dns.com. Do not specify internet.dns.com as secondary DNS server. And the same way for external interface.


@ RobertEachus

OP is running DNS service on Windows servers not on linux server.

RobertEachus 01-18-2012 12:50 PM

Quote:

Originally Posted by Teleute (Post 4572998)
I have an RHEL box with two NICs, one connected to each network.

@T3RM1NVT0R Sounds like Red Hat Enterprise Linux to me.

T3RM1NVT0R 01-18-2012 01:11 PM

@ Reply
 
Quote:


Quote:
Originally Posted by T3RM1NVT0R View Post
Hi Teleute,

Let us know the answer of the following queries:

1. Which server (OS) host dns.internet.com zone?
2. Which server (OS) host dns.private.com zone?
3. Is there a connection between servers hosting both of these zones? If yes, how?
4. How clients side DNS setting is configured?
1. Windows Server 2003 R2
2. Windows Server 2008 R2
3. No
4. On this RHEL 6.1 machine, it's just in resolv.conf as:
nameserver <ip of dns.private.com>
nameserver <ip of dns.internet.com>
Nope. He is running DNS on Windows Server 2003 and 2008 check out post #4. In resolv.conf he got entries for these server so that RHEL server can perform DNS query to one of these servers.

RobertEachus 01-18-2012 01:22 PM

Quote:

Originally Posted by T3RM1NVT0R (Post 4578080)
Nope. He is running DNS on Windows Server 2003 and 2008 check out post #4. In resolv.conf he got entries for these server so that RHEL server can perform DNS query to one of these servers.

Yes, my suggestion was to set up a DNS server on the RHEL that forwards to the internet DNS (Microsoft) server and selectively forwards to the internal DNS (Microsoft) server. This way BIND is not so much doing DNS lookups as switching the requests based on domain name. The server is set up on that host listening only on 127.0.0.1 there is very little in terms of security/patching he will have to worry about.


All times are GMT -5. The time now is 09:44 PM.