George Davidovich wrote:
On Sat, Sep 06, 2008 at 07:28:28PM -0600, Andrew Falanga wrote:
Well, my clients at church are still having issues and after working with
George, a respondant to my original questions, I think that most, if not all,
of my problems are related to DNS and how we've got it improperly configured.
First, a crude drawing of how our mail server exists in the world:
192.168.2.x/24 72.24.23.252 "lot's of networks"
Private Network <--> CableOne <--> Internet
Now, our mail server's IP is 192.168.2.23. On the router, he (the person at
whose house the mail server is) has IP forwarding setup so that mail get's
sent to our FreeBSD machine. Using dig, here's the responses:
(from my FBSD machine at home, not the server)
[/usr/home/andy] -> dig +short -t MX whitneybaptist.org
10 mail.whitneybaptist.org.
[/usr/home/andy] -> dig +short -t A whitneybaptist.org
72.24.34.252
[/usr/home/andy] -> dig +short -x 72.24.34.252
34-252.72-24-cpe.cableone.net.
(from the church FBSD machine)
[/home/afalanga] -> hostname
whitbap
[/home/afalanga] -> ifconfig fxp0
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet 192.168.2.23 netmask 0xffffff00 broadcast 255.255.255.255
ether 00:d0:b7:74:87:48
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
[/home/afalanga] -> cat /etc/resolv.conf
search McCutchanLAN
nameserver 192.168.2.1
It doesn't take a rocket scientist, or a computer scientist, to figure out
we've got DNS issues. I'm thinking that I should setup a domain within the
192.168.2.0/24 network on this box. I've done this before, at work. The
question I've got is I've never actually integrated a domain like this to a
domain on the Internet. I'm thinking that we'll setup something like:
internal.whitneybaptist.org with hosts in that sub-domain.
So, what would my DNS tables need to look like to make this happen. Also, to
any knowledgable souls here, what RFCs address these issues?
Hello again, Andy.
What you're asking is actually a FAQ, but I'll spell things out anyway.
The following excerpt from RFC 1918 is most relevant:
If an enterprise uses the private address space, or a mix of
private and public address spaces, then DNS clients outside of
the enterprise should not see addresses in the private address
space used by the enterprise, since these addresses would be
ambiguous. One way to ensure this is to run two authority
servers for each DNS zone containing both publically and
privately addressed hosts. One server would be visible from the
public address space and would contain only the subset of the
enterprise's addresses which were reachable using public
addresses. The other server would be reachable only from the
private network and would contain the full set of data,
including the private addresses and whatever public addresses
are reachable the private network. In order to ensure
consistency, both servers should be configured from the same
data of which the publically visible zone only contains a
filtered version. There is certain degree of additional
complexity associated with providing these capabilities.
That's a roundabout way of saying you can't "mix and match" private
non-routable addresses with public addresses in the same namespace.
Note the "authoritative" part. Until CableOne delegates your assigned
netblock to your organisation, your public DNS server will not be
authoritative (it currently isn't!) for 72.24.34.252. You can reference
RFC 2317 (classless in-addr.arpa delegation) for how that works. As to
why you must be authoritative, I've already pointed out off-list how Bad
Things can happen when you're not, especially in regards to email where
reverse lookups are integral to How Things Work.
I could be wrong, but I think they've done something like this. I
administered DNS on an OpenBSD machine (2 of them actually) back in
2000-2001. Since then, I've done nothing with DNS administration. I'm
wondering what I need to get from CableOne to get this done. Here's the
result of a dig, on that mail server, for the IP address 72.24.34.252:
[/home/afalanga]
-> dig -x 72.24.34.252
; <<>> DiG 9.3.3 <<>> -x 72.24.34.252
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19747
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;252.34.24.72.in-addr.arpa. IN PTR
;; ANSWER SECTION:
252.34.24.72.in-addr.arpa. 86333 IN PTR
34-252.72-24-cpe.cableone.net.
;; AUTHORITY SECTION:
24.72.in-addr.arpa. 75566 IN NS NS1.cableone.net.
24.72.in-addr.arpa. 75566 IN NS NS2.cableone.net.
;; ADDITIONAL SECTION:
NS1.cableone.net. 3507 IN A 24.116.0.201
NS2.cableone.net. 69544 IN A 24.116.0.202
;; Query time: 16 msec
;; SERVER: 192.168.2.1#53(192.168.2.1)
;; WHEN: Wed Sep 10 19:53:27 2008
;; MSG SIZE rcvd: 154
Notice that the answer section points to 34-252.72-24-cpe.cableone.net.
I don't remember the exact syntax but the delegation that our ISP did
for this, according to RFC 2317 (thanks by the way), looked very similar
to that. I wonder what it is they're doing.
As for other RFCs, I'd suggest instead starting with a careful reading
of the Bind ARM at http://www.isc.org/sw/bind/, followed by a once-over
of the Bind FAQ, and possibly the FreeBSD-supplied configuration files.
To save you some time, the following abbreviated context-specific
examples should explain things more clearly and get you started:
Example 1: Two domains and two separate (sets of) name servers:
On the ns.whitneybaptist.org machine:
zone "whitneybaptist.org" {
type master;
file "master/whitneybaptist.org";
};
zone "252.34.24.72.in-addr.arpa" {
type master;
file "master/db.72.24.34.252";
};
On the ns.internal.whitneybaptist.org machine:
zone "internal.whitneybaptist.org" {
type master;
file "master/internal.whitneybaptist.org";
};
zone "1.168.192.in-addr.arpa" {
type master;
file "master/db.192.168.1";
};
# slave whitneybaptist.org zones here
The contents of /etc/resolv.conf for internal hosts:
domain internal.whitneybaptist.org
nameserver 192.168.1.X
Example 2: One domain and a single (set of) name server(s) employing
Bind's "view" feature:
acl "lan_hosts" { 192.168.1/24; 192.168.2/24; };
key "external" {
algorithm hmac-md5;
secret "XXXXXXX==";
};
view "internal" {
match-clients { !key external; lan_hosts; };
allow-recursion { lan_hosts; };
zone "whitneybaptist.org" {
type master;
file "master/whitneybaptist.org.internal";
};
zone "1.168.192.in-addr.arpa" {
type master;
file "master/db.192.168.1";
};
view "external" {
match-clients { key external; any; };
recursion no;
zone "whitneybaptist.org" {
type master;
file "master/whitneybaptist.org.external";
};
zone "252.34.24.72.in-addr.arpa" {
type master;
file "master/db.72.24.34.252";
};
The contents of /etc/resolv.conf for internal hosts:
domain whitneybaptist.org
nameserver 72.24.34.252
# Note: if 'nameserver' is NAT-ed, you'd use its
# internal address instead
You'll have to decide for yourself which approach works best for you.
- If you opt for 2 domains, you'll need to reconfigure all your
internal hosts, and then add more machines to serve up DNS for those
hosts.
- If you opt for one domain and use Bind's view feature, you can leave
your internal hosts alone (assuming they're already part of the
whitneybaptist.org domain) and skip the requirement for additional
machines, but your DNS configuration will be a little more complex.
Thanks. I think I'm finally starting to wrap my mind around this and
I'm on the right track.
Andy
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"