[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Linux-aus] DNS inside firewall.



On Monday 24 February 2003 10:12 am, Andrew Cowie wrote:
> For example, say I have web server www.junk.com, with outside address
> 63.100.50.21 . On the inside network, the machine is actually
> 192.168.1.21, and that's how my developers need to connect to it. If
> they try to connect to www.junk.com they're going to go all the way out
> into the internet and have to turn around and come back again - or
> worse, if the firewall isn't up to it, the packets will simply get lost
> and you won't be NAT'd in at all.

> This means you need a different name for it.

There is a much better way.

Assume for the sake of illustration (wow, that sounds pompous!) that your 
company is called Acme Widgets and has the `real' domain name 
acme-widgets.com.au. Pick a domain - be it acme (my choice), widget, 
acmewidget or aw or redskyturtle - to represent machines on/in your LAN.

Get your client machines to search that domain either by telling DHCP about it 
or by adding it to each machine's DNS settings (setup varies on different 
windowses but on Linux /etc/resolv.conf should include a line saying `search 
acme' (no quotes)) while you;re changing them to point to your new 
nameserver.

Install a copy of BIND and a cacheing nameserver config. On Mandrake this is 
(as root) `urpmi bin caching-nameserver', on Debian it will be apt-get 
something similar.

Add authority entries in /etc/named.conf (location of named.conf may vary) 
based on the ones already there. Presuming that your private IP address range 
is 192.168.999.0/24 (yes, I know that's bogus, I'm illustrating, OK?) and 
your gateway/DNS server is at 192.168.999.254, the new entries might be:

zone "acme" {
        type master;
        file "acme.zone";
};

zone "999.168.192.in-addr.arpa" {
        type master;
        file "arpa.192.168.999.zone";
};

Copy the named.local file to acme.zone and tart it up (update the serial 
number, etc), add an NS entry pointing to ns1 and A entries for ns1, www, and 
a lot of other things all pointing to 192.168.999.254, and A records for all 
of your local hosts (if Windows, use nmblookup '*' to enumerate them and 
nmblookup -A $ADDRESS to discover their names, that plus a little scripting 
can whomp up a notable zonefile in no time).

Now add an NS record for www.acme-widgets.com.au WITHIN the acme zonefile, but 
pointed at 192.168.999.254; and tell Apache (I presume) to expect 
name-based-host requests on that address as well, and add 
www.acme-widgets.com.au.acme to the list of `HostAlias'es.

Run the zonefile through gawk or perl to get a set of reverse records, bolt 
the SOA section from acme onto the front of it and call it 
`arpa.192.168.999.zone'.

Now start bind (`service named start' on Mandrake, I presume 
`/etc/init.d/bind9 start' on Debian) and test your work. Your syslog should 
be free of complaint from BIND.

host ns1                       -> 192.168.999.254
host www                       -> 192.168.999.254
host www.acme-widgets.com.au   -> 192.168.999.254
host 192.168.999.254           -> gateway.acme

Getting this all to fly via Squid with an iptables firewall, multi-homing and 
martian-dropping enabled is a whole different story. (-:

BTW, if anyone wants a version of the monmotha firewall script which is happy 
about multiple uplinks and DMZs, I have one to hand now which I call 
multimotha.

Cheers; Leon

-- 
http://cyberknights.com.au/     Modern tools; traditional dedication
http://plug.linux.org.au/       Committee Member, Perth Linux User Group
http://slpwa.asn.au/            Committee Member, Linux Professionals WA
http://linux.org.au/            Committee Member, Linux Australia