[gaurav9gupta]

Hi Linux Gurus,

I need help for Linux DNS on which I can enable security for my organisation.
Hope I will be able to do below mentioned (# 3 & # 4) through Linux DNS.
LINUX DNS server is in Cisco Firewall DMZ zone.

I have four queries:

1. Linux DNS should able to resolve the DNS query for internet. ( I can do this).

2. Linux DNS should send resolution of my domain xyz.com, zone hosted on server. (I can do this).


NEED HELP FOR BELOW MENTION Queries

3. Any other query for any domain other then xyz.com domain should not be resolved.

4. Should reply queries from authoritative server for xyz.com doamin should be resolve.

PLEASE HELP!!!

Thanks in Advance
Gaurav

[wildpossum]

Firstly I am not a DNS experienced person but generally;

A> You need to ensure that the /etc/resolv.conf file in each end-point machine has the correct domainname, domainsearchnames within. Usually your DHCP service would set these up, as I am sure our organisation has done so already.

B> If I understand your point 3. you don't want any other domain to be resolved? The main point of DNS is to resolve domains somewhere along the path, so unless you want to hide a owned domain within your organisation (I couldn't see why) why would you want to you would do it this way? Simply don't add it to your DNS service.

C> Your point 4., should be not a problem but you need to read up on HOW-TO. I strongly suggest you do a google search on Linux DNS HOWTO and go from there.

Cheers.

[gaurav9gupta]

Hi Grahame,

Thanks for you inputs.

Regarding Point # 3 & 4 I will clarify more that:

I don't want to hide my domain inside my organisation. I need to block domain other then my xyz.com domain from internet. In simple words any internet user should not use my DNS IP address for resolving domain other then xyz.com domain.

Hope it will clarify why I need point #3 on Linux DNS.

If you please suggest design of linux DNS then it would be great becuase I have placed DNS in Cisco PIX DMZ and static Nat DMZ IP with public IP address.

Thanks,
Gaurav

[tituskalvarija]

you can use VIEW in named.conf

Quote:

view "<view-name>" — Creates special views depending upon the host contacting to the nameserver. This allows some hosts to receive one answer regarding a particular zone while other hosts receive totally different information. Alternatively, certain zones may only be made available to particular trusted hosts while non-trusted hosts can only make queries for other zones.