Re: Preliminary questions before installing Primary DNS server

Keith wrote:

>Hi, I was hoping to setup 2 separate www, dns, and mail servers, and
>have them serve as backups for each other. Here are the two machines
>I've got to work with:
>
>Primary DNS server for xtechsolutions.net (Secondary DNS server for
>jerichoroad.net)
>NetBSD 1.6.1 running BIND 9.2.3
>-----------------------------------------------------
> Cable modem
> Domain Name: xtechsolutions.net
> External NIC: 24.56.85.10 (static)
> Internal NIC: 192.168.1.1=20
> =20
>Primary DNS server for jerichoroad.net (Secondary DNS server for
>xtechsolutions.net)
>NetBSD 1.6.1 running BIND 9.2.3=20
>-----------------------------------------------------
> ADSL modem
> Domain Name: xtechsolutions.net
> External NIC: 216.206.233.187 (static)
> Internal NIC: 10.0.0.1=20
>
>I've read portions of Cricket's DNS & BIND, 4th ed, and the DNS & BIND
>on NETBSD guide. I worked through the example setup in the NetBSD
>guide, and *think* I've got a fairly good handle on the configuration
>files. But I'm completely confused about where internal and external
>addresses actually fit into things (which shows that I don't have a
>fairly good handle on anything);)
>
>If my hostname is xtechsolutions.net, and resolves to 24.56.85.10, to
>what IP do I assign the name NS1.xtechsolutions.net (assuming the same
>box is serving as web and dns server)? 192.168.1.1? I don't even
>know if I'm making my question clear, my background is serial
>communications, not TCP/IP, so I may just be missing something very
>silly.
>
>In using the BIND and NAMED on NETBSD guide, the author uses the
>following example:
>
>--------------------------
>Begin example
>-------------------------
>domain to delegate: example.com
>primary dns server for example.com: ns.example.com
>ns.example.com IP address: 10.0.0.1
>secondary dns server for example.com: ns.other.com
>ns.other.com IP address: 172.16.0.1
>
>Here is how it is going to look like in the parent/name registry DNS
>zone:
>;
>; Delegate example.com to ns.example.com DNS
>;
>
>Name CLASS TTL TYPE RR Data=20
>example.com 86400 IN NS ns.example.com
> 86400 IN NS ns.other.com
>ns.example.com 86400 IN A 10.0.0.1
>ns.other.com 86400 IN A 10.0.0.2 (NOTE: why is this not
>172.16.0.1?)
>
>The last 2 lines are called glue records. Glue record is an A record
>where the name appears on the right hand side of an NS record.
>Here's the named.conf file taken from the example in the BIND & NAMED
>on NETBSD guide.
>
>------------------------------
>End Example
>------------------------------
>
>I'm unclear as to whether to use my external IPs, which would
>translate as:
>
>domain to delegate: xtechsolutions.net
>primary dns server for xtechsolutions.net: ns.xtechsolutions.net
>ns.xtechsolutions.net IP address: 24.56.85.10
>secondary dns server for xtechsolutions.net: ns.jerichoroad.net
>ns.jerichoroad.net IP address: 216.206.233.187
>
>Name CLASS TTL TYPE RR Data=20
>xtechsolutions.net 86400 IN NS xtechsolutions.net
> 86400 IN NS ns.jerichoroad.net
>ns.xtechsolutions.net 86400 IN A 24.56.85.10
>ns.jerichoroad.net 86400 IN A 216.206.233.187 (NOTE: ???)
>
>Or whether to use my external IPs, which would translate as:
>
>domain to delegate: xtechsolutions.net
>primary dns server for xtechsolutions.net: ns.xtechsolutions.net
>ns.xtechsolutions.net IP address: 192.168.1.1
>secondary dns server for xtechsolutions.net: ns.jerichoroad.net
>ns.jerichoroad.net IP address: 10.0.0.1
>
>Name CLASS TTL TYPE RR Data=20
>xtechsolutions.net 86400 IN NS xtechsolutions.net
> 86400 IN NS ns.jerichoroad.net
>ns.xtechsolutions.net 86400 IN A 192.168.1.1
>ns.jerichoroad.net 86400 IN A 10.0.0.1 (NOTE: ???)
>
>I want to "get it", and I don't mind reading. The docs I've read all
>seem to use private network addresses and I just don't understand
>what's going on. I will be happy to provide config files, but I
>thought it was pointless at this point.
>
>I would have assumed that NS.xtechsolutions.net would have to be
>assigned to an external IP (24.56.85.10) in order for it to be seen.=20
>Is it the case that as long as xtechsolutions.net is assigned to
>24.56.85.10, any subdomains are also reachable? I'm lost.
>
>I also have read that since one of these boxes is fed by a cable
>modem, I may have a problem with DNS. If so, I think I can find
>someone else to provide backup. I do know that the ADSL provider
>allows www, mail, dns server setup.
>
A lot of examples use private addressing because the authors of the=20
examples are scared to death that if they put a public address in an=20
example, that legions of clueless users will leave that address in their=20
configs and whoever is unfortunate to have that public address will get=20
bombarded with nuisance traffic. But, the thing to remember is to=20
*never* publish private addresses on the public Internet.

This then raises the question: how do your internal clients get to your=20
websites? You might be able to arrange this through your firewall, i.e.=20
arrange for all accesses to the particular external address from an=20
internal client gets "short-circuited" to go to the internal box=20
instead, but not all firewalls (especially the low-end ones) are not=20
capable of this.

Another approach is to have the same names resolve differently in your=20
internal DNS than they do in your external DNS, so-called "split DNS".=20
With BIND, you can do this by running separate BIND instances on=20
separate boxes, separate BIND instances on the same box, listening on=20
different addresses, or within a single BIND instance using the "view"=20
feature (which can present different DNS "universes", differentiating by=20
the source address of the query).

All of this is covered in the "DNS and Internet Firewalls" section of=20
the _DNS_and_BIND_ book...

=20
- Kevin