[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
DNS -- resolution conflicts, subdomaining recommendations,classless reverse zones
From: "Stephen D. Reindl" <sreindl@apci.net>
> I have a webserver at 172.16.64.169 private and 206.XXX.XXX.XX6
> public.  The domain resolves just fine for everyone outside of my LAN.
> The domain will not resolve inside the LAN, in other words if I put
> http://www.mydomain.com into the address bar of my favorite web
> browser, I get the default apache test page on the firewall/router
> which is at 206.XXX.XXX.XX1. How can I make the domain resolve
> correctly from inside the LAN?
First off, you need to maintain _two_separate_ DNS servers at a minimum,
one private and one public.  The private DNS server is internal to your
LAN and all of your internal LAN nodes use it first.  Furthermore, it
would probably be safest if they just used the private DNS server
_solely_, and the private DNS server acts as a "forwarder" for all
requests for internal clients.
Secondly, you should _always_ "subdomain" your internal LAN from your
main domain.  That way you _never_ run into resolution conflicts where
you don't know if you are looking for an internal resource or an
external one.  Additionally, I even subdomain my external one as well,
and then use CNAMEs for the main domain.  That way I can switch who is
providing the public services at any time.
For example, let's say I have an Orlando office with a private LAN
(172.16.64.169) and a DMZ (206.XXX.XXX.XX6).  Here might be my DNS
zones:  
FILE:  orlando.mydomain.com 
  $ORIGIN orlando.mydomain.com
; forward zone for 172.16.64.169 subnet
FILE:  64.16.172.in-addr.arpa
  $ORIGIN 64.16.172.in-addr.arpa
; reverse zone for 172.16.64.169 subnet
FILE:  dmzorlando.mydomain.com
  $ORIGIN dmzorlando.mydomain.com
; forward zone for 206.XXX.XXX.XX6 subnet
FILE:  XXX-CC.XXX.XXX.206.in-addr.arpa
  $ORIGIN XXX/CC.XXX.XXX.206.in-addr.arpa
; reverse zone for 206.XXX.XXX.XXX/CC in RFC2317 Classless Delegation
; http://www.dns.net/dnsrd/rfc/rfc2317.html
; Check with ISP on how they are doing reverse DNZ for subnets
; There are 2 ways to delegate non-A/B/C class reverse DNS via RFC2317
; NOTE:  "CC" is CIDR notation for subnet mask (may or may not be used)
FILE:  mydomain.com
  $ORIGIN mydomain.com
; forward zone for mydomain.com
; CNAME entries to dmzorlando.mydomain.com
Now your internal nodes should have your DNS server for your internal
DNS.  E.g., their /etc/resolv.conf reads:   
  nameserver 172.16.64.XXX
If you have 2 servers, put two 172.16.64.XXX lines in there with their
appropriate IPs.  Do _not_ put the public DNS server address in there. 
There is a reason for this.  If your private DNS server(s) is(are) not
available, you don't want your LAN nodes going out.
Instead, put a "forwarders" line in the global "options" section of the
private DNS server to reference the public DNS server:
options {
  forwarders "<public DNS server IP>";
};
Now if your private DNS server(s) can't resolve a name, they pump it up
to the public DNS server.  In actuality, it doesn't need to be _your_
public DNS server, but _any_ public DNS server.  But typically you want
it to be your public DNS server, as any changes you make to your public
DNS server will propogate the fastest versus using another public DNS
server.
-- 
Bryan J. Smith, E.I. -- Engineer, Technologist, School Teacher
b.j.smith@ieee.org
-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.