[ale] DNS Questions

Jerald Sheets jsheets at yahoo.com
Thu Nov 18 09:45:40 EST 2004


You may already be in luck.

FC2 came with BIND in a chroot jail already preconfigured.   I haven't
looked, but I think FC3 has followed suit.

What you're probably looking for is what is called a "split DNS"
configuration where your DMZ DNS server(s) are outward resolving/looking,
and your internal is inward only.

Having said that, keep in mind that you can still refer to www.blah.com from
inside your private network, and if configured correctly, your router will
route to the appropriate box, regardless of private interface.

I have a nat box doing translation to my internal systems (all of which have
private IP's), but I refer to them all by their public names.  The NAT box
sends my requests to the appropriate internal machines.  I just keep up with
their public IP designations on the DNS boxes (2) and everything works
without having to fiddle with the private IP space.

--Jerald


> -----Original Message-----
> From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On 
> Behalf Of Cordell, Ron
> Sent: Thursday, November 18, 2004 9:32 AM
> To: ale at ale.org
> Subject: [ale] DNS Questions
> 
> Hi everyone,
> 
> I'm new to the list, but not necessarily to the group :)
> 
> I have a couple of DNS questions I was hoping people could help me out
> with.
> 
> The first question is network topology and where to deploy 
> DNS servers.
> Let's say I have a segmented network, with a DMZ in front of 
> a firewall,
> and then two or three separate networks behind the firewall. I need to
> set up DNS so that all these servers can resolve their private,
> "internal" names, but also so that the machines in the DMZ can use the
> DNS. Seems like I need a DNS primary/secondary pair in the 
> DMZ, and also
> another DNS in each network segment behind the firewall. Can anyone
> steer me to a good place to get a good understanding of how I 
> should set
> this sort of thing up?
> 
> The second questions is about how to secure bind. We are using Fedora
> Core 3. I've been reading that bind should be in a chroot jail. This
> sounds like a pretty good practice. What other suggestions do people
> have for securing bind?
> 
> Thanks in advance for pointing me in the right direction.
> 
> Ron Cordell
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale



More information about the Ale mailing list