[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference noted::seal

Title:SEAL
Moderator:GALVIA::SMITH
Created:Mon Mar 21 1994
Last Modified:Fri Jun 06 1997
Last Successful Update:Fri Jun 06 1997
Number of topics:1989
Total number of notes:8209

1905.0. "DNS and un-named root??" by WOTVAX::2h0533.olo.dec.com::Tim_Banks ([email protected]) Thu Apr 03 1997 08:26

We are working with a customer on a DNS implementation scheme that involves 
a firewall, and need a little input on DNS root servers.

The customer wants a naming scheme (used on the internal network) that 
doesn't have a domain prefix e.g. "company.com"

The Internal FQDN will look like myhost.div.location 

So the internal root will be a series of locations (not com, gov, mil, edu 
etc). I believe that this requires the cache file on the internal servers 
to only contain entries pointing to the internal root servers, so a query 
hits the internal root server and is either resolved or rejected.

The question is, how does this scheme work with a firewall, and the need to 
resolve internet FQDNs?

Is it just a case of having the internal root server configured with a full 
cache file (i.e. the NIC issued named.ca) or do you set the root server up 
with a forwarder entry pointing at the firewall server which has the full 
named.ca?

We read O'Reilly on this subject but are still unsure.  I know it can be 
done, but how and what are the issues?

Many thanks for the input,

	Tim and Jim
T.RTitleUserPersonal
Name		DateLines
1905.1set up a root serverNETRIX::"[email protected]"torsten kerschatWed Apr 09 1997 08:56139
hi,

hopefully, I understood your question correctly. Is it correct,
that the firewall is just an internal firewall ? I think so.
If it so, you can set up the firewall as root-server.
It's not that hard - and very easy with the O'reilly book :-)
I am not that experienced with DNS but it has taken about 2
hours to test and set up a root-server on a firewall. 

The following example might give you an idea (it is a solution
for two root-servers (mbalpha and berris) for redudany purposes).

Hopefully it helps.
Torsten

In /etc/rc.config

HOSTNAME="hostname.domain.de"

BIND_CONF="YES"
export BIND_CONF
BIND_SERVERTYPE="PRIMARY"
export BIND_SERVERTYPE
BIND_SERVERARGS="-b /etc/namedb/named.boot"
export BIND_SERVERARGS

In /etc/hosts
ip-adresse hostname.domain.de hostname

In /etc/resolv.conf

domain	vg.de
nameserver	127.0.0.1

In /etc/svc.conf 

aliases=local
group=local
hosts=local,bind
netgroup=local
networks=local
passwd=local
protocols=local
rpc=local
services=local

SECLEVEL=BSD   # for backwards compatibility ONLY


In /etc/namedb/named.boot

directory       /etc/namedb
;
primary         .               named.root
primary         vg.de           hosts.db
primary         80.185.16.in-addr.arpa  80.185.16.zone
;
primary         0.0.127.in-addr.arpa    named.local
;


In named.root

. IN SOA berris.vg.de.  root.vg.de. (
1       ; serial
86400   ;
3600    ;
608400  ;
86400)  ;

        IN NS berris.vg.de
        IN NS mbalpha.vg.de

berris.vg.de.   604800  IN A 16.185.80.134
mbalpha.vg.de.	604800	IN A 16.185.80.209

vg.de.  86400   IN NS berris.vg.de.
vg.de.  86400   IN NS mbalpha.vg.de.

80.185.16.in-addr.arpa. 86400   IN NS berris.vg.de.
80.185.16.in-addr.arpa. 86400   IN NS mbalpha.vg.de.

In named.local

;
; BIND data file for local loopback interface. 
;
@       IN      SOA     berris.vg.de. postmaster.berris.vg.de. (
                        1       ; Serial
                        3600    ; Refresh
                        300     ; Retry
                        3600000 ; Expire
                        3600 )  ; Minimum
0.0.127.in-addr.arpa.   IN      NS      berris.vg.de.

1.0.0.127.in-addr.arpa. IN      PTR     localhost.

In hosts.db

vg.de. IN SOA berris.vg.de.     root.vg.de. (
1       ; serial
86400   ;
3600    ;
608400  ;
86400)  ;

vg.de.  IN NS berris.vg.de.
vg.de.  IN NS mbalpha.vg.de.

berris.vg.de.   IN A 16.185.80.134
tester.vg.de.   IN A 16.185.80.100
beop05.vg.de.   IN A 16.185.80.178
mbalpha.vg.de.  IN A 16.185.80.209

In 80.185.16.zone

; 
; AltaVista Firewall DNS address to names mapping file
;
@       IN      SOA     berris.vg.de.  root.berris.vg.de.  (
                                1996101601      ; Serial
                                21600           ; Refresh
                                3600            ; Retry
                                604800          ; Expire
                                86400 )         ; Minimum
                IN      NS      berris.vg.de.
                IN      NS      mbalpha.vg.de.
;
; Addresses point to canonical names
;
134     IN      PTR     berris.vg.de.
100     IN      PTR     tester.vg.de.
178     IN      PTR     beop05.vg.de.
209     IN      PTR     mbalpha.vg.de.




[Posted by WWW Notes gateway]
1905.2CHEFS::zkodhcp-29-48-237.zko.dec.com::PITTGone with the winsock ...Fri Apr 18 1997 14:2426
Tim,

If you are talking simply invalid internal domain names, there is
really no issue at all.  Make sure that the internal DNS servers
are set up to authoritative for their own domains.  If they already
exist, their internal DNS server will have a "fake root" - it will
be authoritative for the DNS root.  You will have to take this out.
That probably means replacing their existing cache file with a 
real one.

Then you have to install normal hidden DNS on the firewall - I
take it you're doing hidden DNS.

And that's it!  It really doesn't matter that it's an invalid
internal domain, because it's totally hidden from the outside.
Furthermore, the firewall (or internal machines) will ask the
internal server a question.  If the internal DNS server can answer
the question it will do so.  After that, the internal server will
ask the firewall server, and it will get an answer.  This all works
the same, regardless of whether or not the internal domain name is
"real".

T

P.S. Tim, I can point you to such setups that I've previously
installed, if you want ...