[Linux-aus] DNS inside firewall.

Les Bell lesbell at lesbell.com.au
Sun Feb 23 05:53:02 UTC 2003

Tom Swann <tom.swann at jcu.edu.au> wrote:

I've never set up a DNS before and I think that perhaps I need one to
resolve a
name to an IP address for the internal server and refer all other addresses
the ISP's DNS.

Is my thinking right? How do I do it? A pointer to a tutorial might help.

Close, but no seegar, Tom. It's not that complex, really.

For a small setup, perhaps a hosts file would be the solution. However, I'm
assuming you're beyond that stage. In that case, you need a DNS, as you
suggest. You will need to configure at least a forward zone for the
internal domain, and preferably a reverse zone (to support conversion of IP
addresses to names for the internal domain).

Configure all your client machines to use the internal DNS. It will respond
immediately from its own knowledge (this is an authoritative response) for
your internal machines, but will go to the outside world to look up other

There are two ways you can get to the outside world. The simplest - and
it's the default when you first set up BIND - is to use a a "named.root"
file which allows your DNS to contact the root nameservers and then find
everything else by recursively tracking other DNS's down. The alternative
is to configure your DNS to forward all requests for outside data to your
ISP's DNS, and let it do the recursive queries (this will save you a little
bandwidth and allow you to lock down your firewall a little more tightly,
but it's hardly worth the trouble and I don't do it myself).

So it's pretty much a standard setup. For novices to setting up things like
BIND, I recommend installing Webmin (http://www.webmin.com) as it
simplifies the task considerably and automatically formats the zone files
(a pain until you're familiar with the syntax and where to put the full
stops). It also automatically keeps the forward and reverse zone files in
sync, and eliminates the need to write out IP addresses backwards, etc.

I don't know a good online tutorial off the top of my head (I bought the
book "DNS and BIND" by Cricket Liu, etc.), but I've always found the
http://www.acmebw.com site helpful for FAQ's, etc.


--- Les Bell, CISSP

More information about the linux-aus mailing list