Hi!,
I'm trying configure a split DNS, following this model:
------------------
| |
| INTERNET |
| |
------------------
|
|
------------
| |
| FIREWALL |
| |
------------
|
| DMZ 192.168.x.x
----------------------------------
|
|
------------
| INTERNAL |
| FIREWALL |
------------
INTERNAL NETWORK |
10.x.x.x |
---------------------------------------
|
|
----------
| CLIENT |
----------
In the bastion host I'm running a name server that knows our real domain
"fadesa.es" and it have a limited vision of the host in the DMZ, in the
other hand _mute_ (the internal firewall) have an internal root name
server (bind 8.2), well..., I load in mute a root domain file as this:
(supposed 'internal' as the faked TLD)
;#### db.root
##############################################################
. IN SOA mute.servers.internal.
dnswizard.mute.servers.internal. (
1999042201
10800
3600
604800
86400)
IN NS mute.servers.internal.
;glue record
mute.servers.internal. 86400 IN A 10.20.1.10
hubs.internal. 86400 IN NS mute.servers.internal.
servers.internal. 86400 IN NS mute.servers.internal.
impresoras.internal. 86400 IN NS mute.servers.internal.
informatic.internal. 86400 IN NS mute.servers.internal.
contabilidad.internal. 86400 IN NS mute.servers.internal.
juridico.internal. 86400 IN NS mute.servers.internal.
tecnicos.internal. 86400 IN NS mute.servers.internal.
marketing.internal. 86400 IN NS mute.servers.internal.
ventas.internal. 86400 IN NS mute.servers.internal.
cig.internal. 86400 IN NS mute.servers.internal.
obra.internal. 86400 IN NS mute.servers.internal.
personal.internal. 86400 IN NS mute.servers.internal.
abogados.internal. 86400 IN NS mute.servers.internal.
1.20.10.in-addr.arpa. 86400 IN NS mute.servers.internal.
5.20.10.in-addr.arpa. 86400 IN NS mute.servers.internal.
9.20.10.in-addr.arpa. 86400 IN NS mute.servers.internal.
11.20.10.in-addr.arpa. 86400 IN NS mute.servers.internal.
13.20.10.in-addr.arpa. 86400 IN NS mute.servers.internal.
15.20.10.in-addr.arpa. 86400 IN NS mute.servers.internal.
17.20.10.in-addr.arpa. 86400 IN NS mute.servers.internal.
19.20.10.in-addr.arpa. 86400 IN NS mute.servers.internal.
21.20.10.in-addr.arpa. 86400 IN NS mute.servers.internal.
23.20.10.in-addr.arpa. 86400 IN NS mute.servers.internal.
25.20.10.in-addr.arpa. 86400 IN NS mute.servers.internal.
27.20.10.in-addr.arpa. 86400 IN NS mute.servers.internal.
29.20.10.in-addr.arpa. 86400 IN NS mute.servers.internal.
31.20.10.in-addr.arpa. 86400 IN NS mute.servers.internal.
;### End of db.root
########################################################
I delegate directly from "." in the different subdomains, thus mute
knows only this internals subdomains.
now, the named configuration file:
;#### named.conf
###########################################################
options {
check-names master fail;
check-names slave warn;
check-names response ignore;
};
# load root domain
zone "." {
type master;
file "db.root";
};
# subdomain hubs.internal
zone "hubs.internal" {
type master;
file "hubs/db.hubs.internal";
};
zone "1.20.10.in-addr.arpa" {
type master;
file "hubs/db.10.20.1";
};
# subdomain servers.internal
zone "servers.internal" {
type master;
file "servers/db.servers.internal";
};
zone "20.20.180.in-addr.arpa" {
type master;
file "servers/db.10.20.3";
};
..... and so on.
;#### End of named.conf
####################################################
and all the subdomain files contain this template:
;### db.hubs.internal
######################################################
@ IN SOA mute.servers.internal.
dnswizard.mute.servers.internal. (
1999042201
10800
3600
604800
86400)
IN NS mute.servers.internal.
localhost IN A 127.0.0.1
hub13300 IN A 10.20.1.6
hub11000 IN A 10.20.1.7
hub21000 IN A 10.20.1.8
hub31000 IN A 10.20.1.9
hub41000 IN A 10.20.1.10
hub51000 IN A 10.20.1.11
hub61000 IN A 10.20.1.12
hub23300 IN A 10.20.1.13
hub71000 IN A 10.20.1.14
hub13000 IN A 10.20.1.15
;#### End of db.hubs.internal
##############################################
;### db.10.20.1
############################################################
@ IN SOA mute.servers.internal.
dnswizard.mute.servers.internal. (
1999042201
10800
3600
604800
86400)
IN NS mute.servers.internal.
6 IN PTR hub13300.hubs.internal.
7 IN PTR hub11000.hubs.internal.
8 IN PTR hub21000.hubs.internal.
9 IN PTR hub31000.hubs.internal.
10 IN PTR hub41000.hubs.internal.
11 IN PTR hub51000.hubs.internal.
12 IN PTR hub61000.hubs.internal.
13 IN PTR hub23300.hubs.internal.
14 IN PTR hub71000.hubs.internal.
15 IN PTR hub33300.hubs.internal.
;### End of db.10.20.1
#####################################################
first problem:
a valid name is correctly answered.
Default Server: mute
Address: 127.0.0.1
>
>
> pcmercedes.technician.fadesa.
Server: mute
Address: 127.0.0.1
Name: pcmercedes.technician.fadesa
Address: 10.20.19.10
instead a false name isn't correctly answered, I get Server failed, and
not a NXDOMAIN.
> fadesa.
Server: mute
Address: 127.0.0.1
*** mute can't find fadesa.: Server failed
>
and syslog report:
May 21 17:36:13 mute named[25055]: ns_forw: query(fadesa) contains our
address
(mute.servers.fadesa:10.20.1.10)
May 21 17:36:13 mute named[25055]: ns_forw: query(fadesa) No possible A
RRs
second:
Mute must knows this fake domain and also the real internet, I included
in
named.conf a new zone i.e. "com" with forwarding to the bastion host,
but
this not work, mute respond NXDOMAIN and tcpdump no report traffic
towards
the bastion host.
zone "com" {
type forward;
forward only;
forwarders {
192.168.1.38;
};
};
1.- can I put in this way an internal root name server?
2.- and that it forwards *.com to bastion host?
3.- though mute is a internal root name server it would answer well to
this
questions.
F@N
Thanks
begin:vcard
n:Fandi�o;Jos� M.
x-mozilla-html:FALSE
url:http://www.uncies.cesga.es/~fan
org:Inmobiliaria Fadesa ;Dept of Informatic
adr:;;Av. Alfonso Molina S/N;;Coru�a;15009;Spain
version:2.1
email;internet:[EMAIL PROTECTED]
title:technician
x-mozilla-cpt:;11360
fn:Jos� M. Fandi�o
end:vcard
