[SOLVED] bind9 config problem serving internal and external addresses

eco · 05-14-2010, 04:29 AM

Hi all,

I imagine that what I'm about to ask is the basis of DNS but I just can't get my head round it.

I have a LAN, a firewall/dns and dmz(kvm).

Code:

[laptop ]--+                                           +--[Server1]
[printer]--+--192.168.1.x---[FW/DNS]---192.168.122.x---+
[...    ]--+                    |                      +--[Server2]
                                |
                            [Internet]

The problem I am facing is that from the internet, the DNS will forward requests to one of my servers to the range '192.168.122.x' as it should but when I try and connect to a server from my laptop (192.168.1.x) the DNS gives me 192.168.122.x.

This is a problem as I need to have mod_proxy forward the url to the proper server and not access it directly.

What am I doing wrong?

I have a very basic setup as follows:

Code:

# cat named.conf

include "/etc/bind/named.conf.options";

zone "." {
        type hint;
        file "/etc/bind/db.root";
};

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

zone "example.com" {
        type master;
        file "/etc/bind/zone.example.com";
};

zone "122.168.192.in-addr.arpa" {
        allow-query { 192.168.122.1; };
        type master;
        file "/etc/bind/db.192.168.122";
        };

zone "1.168.192.in-addr.arpa" {
        allow-query { 192.168.1.1; };
        type master;
        file "/etc/bind/db.192.168.1";
        };

include "/etc/bind/named.conf.local";

I tried using allow-query { x.x.x.x; } to restrict access to 122.x requests from a 1.x range but that doesn't seem to do the job.

Code:

# cat db.192.168.1

$TTL    604800
@       IN      SOA     example.com. root.example.com. (
                     2010051402         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;

1               IN      NS      ns1.example.com.
200             IN      NS      hp6110.example.com.

deb01		IN	CNAME	ns1
deb02		IN	CNAME	ns1
deb03		IN	CNAME	ns1

printer         IN      CNAME   hp6110

Code:

# cat db.192.168.122 

$TTL    604800
@       IN      SOA     example.com. root.example.com. (
                     2010051301         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;

1       IN      NS      ns2.example.com
2       IN      PTR     deb02.example.com
3       IN      PTR     deb03.example.com
11      IN      PTR     deb01.example.com

Code:

# cat zone.example.com 

$TTL    604800
@       IN      SOA     ns.example.com. root.example.com. (
                      2010051301        ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
                IN      NS      ns1.example.com.
                IN      NS      ns2.example.com.

                IN      MX 20   mail.example.com.

ns1             IN      A       192.168.1.1
ns2             IN      A       192.168.122.1
deb01           IN      A       192.168.122.11
deb02           IN      A       192.168.122.2
deb03           IN      A       192.168.122.3
hp6110          IN      A       192.168.1.200

printer         IN      CNAME   hp6110

In short how do I configure my DNS to handle/restrict 3 ranges (wan/lan/dmz)?

Any help or pointing me to the right documentation are welcome!

Thanks.

bathory · 05-14-2010, 05:03 AM

Hi,

It looks like you have to setup views, so you can answer queries in a different way depending of the host ip address.

eco · 05-14-2010, 06:34 AM

Thanks bathory, that did the job

The following is to help anyone in the same situation I was in. Hope it helps.

Code:

include "/etc/bind/named.conf.options";

acl lan_hosts {
        127.0.0.0/8;
        192.168.122.0/24;
};


// prime the server with knowledge of the root servers
view "internal-view" {
        match-clients { lan_hosts; };
        zone "." {
                type hint;
                file "/etc/bind/db.root";
        };

        zone "localhost" {
                type master;
                file "/etc/bind/db.local";
        };

        zone "127.in-addr.arpa" {
                type master;
                file "/etc/bind/db.127";
        };

        zone "0.in-addr.arpa" {
                type master;
                file "/etc/bind/db.0";
        };

        zone "255.in-addr.arpa" {
                type master;
                file "/etc/bind/db.255";
        };

        zone "122.168.192.in-addr.arpa" {
                type master;
                file "/etc/bind/db.192.168.122";
        };

        zone "example.com" {
                type master;
                file "/etc/bind/zone.example.com-internal";
        };

};

view "external-view" {
        match-clients { any; };

        zone "example.com" {
                type master;
                file "/etc/bind/zone.example.com";
        };

        zone "1.168.192.in-addr.arpa" {
                type master;
                file "/etc/bind/db.192.168.1";
        };
};