[lug] Re: dns for non-internet visible network

Mon Jan 3 09:37:45 MST 2005

I have a taken a slightly different approach.
I have a DNS server visible externally that only provides resolution for the servers that need to be resolved externally.
I set up an identical dns server internally that is "stealth" and not visible to the outside. All internal clients point to it. It forwards requests to resolve external hosts to the external dns server.

the external named.conf looks something like,

acl "internal" {
        192.168.1.0/24;
        127.0.0.1;
};

acl "trusted" {
        internal;
        xx.xx.xx.xx;  ip of external slave server
};

 options {
        directory "/etc/named";
        recursion no;
        fetch-glue no;
        use-id-pool yes;
        transfers-in 10;
        transfers-per-ns 2;
        allow-recursion { internal; };
        allow-transfer { trusted; };
};
zone "myserver.com" {
        type master;
        file "mydomain";
        allow-query { any; };
        allow-transfer { trusted; };
};
zone "localhost" {
        type master;
        file "local";
        allow-update { none; };
};

zone "xx.xx.xx.in-addr.arpa" {               
        type master;                        
        file "mydomain.rev";  
        allow-query { any; };
        allow-transfer { trusted; };
};  

zone "0.0.127.in-addr.arpa" {               
        type master;                        
        file "local.rev";  
        allow-query { any; };
        allow-transfer { trusted; };
};  

zone "bind" chaos {
        type master;
        file "bind";
        allow-query { trusted; };
        allow-transfer { none; };
};

set up your zone files accordingly with only the data that must be visible externally.
You don't want to allow recursion so that external folks are not using your dns server for anything but to resolve your externally visible hosts.
Don't allow update and do not allow transfers to an host except your external  nameserver slave.

On the internal server things can be far more open.
The only difference is that named.conf options are more liberal and it contains a forward to the external dns server to resolve external (not ours) hosts.

options {
        directory "/etc/named";
        forwarders {
                192.168.1.1;  address of external dns server
        };

.. rest is same as external server

the zone file for mydomain has all the external hosts info plus all the internal hosts info.
Both of these dns servers are authoritative for mydomain.com. This is ok since only the internal servers will access the internal dns server for all our hosts internal and external and only external host (not ours) resolution is forwarded to the external dns server. The external dns server is only accessed by external hosts seeking to resolve the externally visible ip(s).
The bind zone is there to catch access for bind version info and log it. This allows me to track who is probing for a possible bind attack.

If you have enough internal hosts and subnets you will want to have internal slaves. For really large geographically distributed networks you will want to have dns servers for each major subnet, etc...

This seems to be working pretty well for me.

--bill