I read another post in this forum related to my question but it didn't help much. We have a local network with about 25 pc's with a mixture of *nix, apple, and windows. A RedHat 7.2 machine is the fileserver, ftp, web, mysql, and telnet server. DNS & mail is provided through the ISP. All internet and other functions work fine. There is a firewall in front of all the machines that provides security and NAT to all the machines. Now the problem is the RedHat machine has an internal ip address that is forwarded to it from the firewall. I can call up a webpage or any other function for that matter by the domain name outside of the network, but internally an internal ip address has to be issued in order to access anything from the server? I read that the spilt dns would be the best idea for my situation. I've got no idea really where to start besides installing bind 9 which i've done already.
i donīt think you need complicated stuff like that.
just setup a default route on your workstations pointing to your gateway (RH-machine) and then they should connect to your ispīs nameserver.
maybe you need to setup your RH-machine to act as nat-router too... then the firewall will think all requests come from it instead of from the workstations.
hope this helps....
The RH machine is just providing filesharing, webserving, ssh access, and ftp. The nat is provided through a seperate hardware based firewall/router. So the client machines all use internal ip information.
do they have the firewall as their default gateway then?
yes they do, the internel machines have ip's that span through 192.168.0.X, the server is 192.168.0.2, and the firewall is is 192.168.0.1!
i just read your first post again, maybe i misunderstood you.
do you want the dns server to give a different IPs depending on if it was connected from internal network or outside?
then i think you better setup a local domain for this. like make a dns server having one local zone ("mydomain.local") and have it forward everything else to the īnet. then your server is accessible by "www.mydomain.local" as well as "www.mydomain.com".
could this help you?
So far a split DNS setup seems to be the way to go. By the end of this weekend it should be completed and since I know their are several other's that i've mailed me i'll post the setup that works succesfully for me. Basically our server is going to be the primary record holder and our ISP is going to be the secondary.
>> but internally an internal ip address has to be issued in order to access anything from the server?
You can use /etc/hosts file or run an authoritative DNS server for your LAN.
>> I read that the spilt dns would be the best idea
Like I said, you can use /etc/hosts file. You'd need split horizon DNS setup only if your LAN domain is the same as your external domain.
In some situations where you need to run qmail on LAN, then you must setup split horizon, because qmail NEVER read /etc/hosts file, but most services do.
Thanks freebsd, I do agree that entries in the /etc/hosts file would work for the machines on the internel network. As you stated though the domain is the same as the domain name, which right now makes browsing the website impossible unless using the internel server network ip address.
? freebsd, how would I make hosts entries in a zone file for machines that use dhcp from the firewall/router?
>> for machines that use dhcp from the firewall/router?
Don't use dhcp if you run any servers. Anyway, if you need to know more about split horizon setup, and would like to ditch BIND (world most insecure software) and give djbdns a try, do a search here with the search keyword: localdns
Alright well thanks for the help freebsd, i've already installed and configure bind, so i'm going to try that first.
Would someone check out these conf files and make sure i'm going about everything right. I've already created my ns1.prcdigital.com name. Please remember that the ISP is going to remain the secondary name server while we our going to be the primary.
Just checked your prcdigital.com.zone file and that's not the way to setup split horizon in BIND.
1) You need to delegate prcdigital.com to prcserver.prcdigital.com for LAN, don't use ns1.prcdigital.com for that.
2) Don't use shortcut in your zone records if at all possible. It doesn't help the readibilty but make it worse.
3) Set your 2nd NS to NS1.DELTACOM.NET, not its IP.
4) Most important: There no longer is such thing as CNAME, so just use multiple A records instead.
>> while we our going to be the primary
I don't think deltacom.net lets you do that.
>> I got rid of the "shortcuts" meaning comments?
Not that and your new file is still using shortcuts.
So what's shortcuts?
@ IN NS ns1.prcdigital.com. and
ns1 IN A 66.35.133.90
What's not?
ns1.prcdigital.com. IN A 66.35.133.90
It's extremely ugly for readibility and you can make syntax errors easily when combining shortcuts and without shortcuts, like yours.
>> the CNAME is gone also
But your new A records are illegal.
www.prcdigital.com. IN A prcserver.prcdigital.com.
ftp.prcdigital.com. IN A prcserver.prcdigital.com.
mail.prcdigital.com. IN A mail.deltacom.net.
A record means address record. Address means IP or something to do with numbers but yours is using hostname all the way, which can't be A record in the first place.
When setting split horizon in BIND, you first need to run authoritative DNS for your LAN. That is, do not use public IP addr anywhere in your zone records or named.conf. Yes, it's the same domain - prcdigital.com.
>> I don't understand "You need to delegate prcdigital.com
You need to invent another local name or use prcserver, not ns1. Then you can run TWO authoritative DNS servers, one for external and one for LAN. And of course, setup your external as the forwarder of your internal so when you can't query an answer internally it will ask the external one.
Sorry I wish I can explain it in more details but I chose not to on purpose just because you don't seem to understand the basics of DNS/BIND and trying to get everything right in one go and in no time, which is a bad learning attitude.
Lastly, what you should do now is to forget about ns1 entirely, just run authoritative DNS for LAN only.
Everything seems in place now when viewing the log I question:
"Mar 28 15:15:20 prcdigital named[13779]: none:0: open: /etc/rndc.key: file not found
Mar 28 15:15:20 prcdigital named[13779]: couldn't add command channel 127.0.0.1#953: file not found"
What are these?
The following is the orginal log entry:
Mar 28 15:15:20 prcdigital named[13779]: starting BIND 9.2.0
Mar 28 15:15:20 prcdigital named[13779]: using 1 CPU
Mar 28 15:15:20 prcdigital named[13779]: loading configuration from '/etc/named.conf'
Mar 28 15:15:20 prcdigital named[13779]: no IPv6 interfaces found
Mar 28 15:15:20 prcdigital named[13779]: listening on IPv4 interface lo, 127.0.0.1#53
Mar 28 15:15:20 prcdigital named[13779]: binding TCP socket: address in use
Mar 28 15:15:20 prcdigital named[13779]: listening on IPv4 interface eth0, 192.168.0.2#53
Mar 28 15:15:20 prcdigital named[13779]: binding TCP socket: address in use
Mar 28 15:15:20 prcdigital named[13779]: none:0: open: /etc/rndc.key: file not found
Mar 28 15:15:20 prcdigital named[13779]: couldn't add command channel 127.0.0.1#953: file not found
Mar 28 15:15:20 prcdigital named[13779]: zone 0.0.127.in-addr.arpa/IN: loaded serial 1
Mar 28 15:15:20 prcdigital named[13779]: zone 0.168.192.in-addr.arpa/IN: loaded serial 2
Mar 28 15:15:20 prcdigital named[13779]: zone prcdigital.com/IN: loaded serial 2
Mar 28 15:15:20 prcdigital named[13779]: running
Mar 28 15:15:20 prcdigital named[13779]: zone prcdigital.com/IN: sending notifies (serial 2)
Here's the configuration file:
options {
directory "/var/named/";
pid-file "/var/run/named/named.pid";
query-source address * port 53;
};
zone "." { type hint; file "root.hints"; };
zone "0.0.127.in-addr.arpa" {
type master;
file "0.0.127.in-addr.arpa.zone";
notify no;
};
zone "0.168.192.in-addr.arpa" {
type master;
file "0.168.192.in-addr.arpa.zone";
notify no;
};
zone "prcdigital.com" {
type master;
file "prcdigital.com.zone";
};
>> none:0: open: /etc/rndc.key: file not found
This appears to be BIND 9 specific to control the BIND daemon. And you need to set a secret key for that. Don't ask me, I haven't run BIND for years (because it's world no.1 most insecure software) so you need to RTFM or ask Mr. Google yourself.
Like I said in my previous post, you don't seem to know anything about DNS and its basics (based on the mistakes that you made last time), so you are urged NOT to configure split horizon at this moment because you are not ready for it.
You have two choices:
1) Run authoritative DNS only for LAN and let your ISP continue to host your domain
2) Run authoritative DNS externally and have your ISP be the slave (if ever). Then just use /etc/hosts file and forget about your 0.168.192.in-addr.arpa