Find the answer to your Linux question:
Results 1 to 3 of 3
First of all, I'm a novice, so I apologize in advance if some of my theory is rusty. I'm currently using CentOS 2.6.18-92.1.13.el5 #1 SMP i686 athlon i386 GNU/Linux I ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Aug 2008
    Location
    Penrose, Colorado
    Posts
    5

    Question Advice Required Regarding DNS


    First of all, I'm a novice, so I apologize in advance if some of my theory is rusty.

    I'm currently using CentOS
    2.6.18-92.1.13.el5 #1 SMP i686 athlon i386 GNU/Linux

    I have my box, running at home. I use it as a firewall, (Shorewall) for the computers here, and as a asterisk box. I am also hosting my personal website on the box, and want to eventually move my mail from a third party server over to my own box. I run DHCPD to issue private IP's to the hosts within my firewalled network, and use NAT & masquerading to let them talk to the world.

    This box is connected to the internet by a broadband connection, and it's IP is assigned via DHCP thru the ISP.

    I'm using ZoneEdit to dynamically update the domain I point to the box, via ddclient..

    I have what I think is the correct setup, but I'm not happy with the configuration, and need some advice about what to do..

    I'll use example.com to protect the innocent.

    I have example.com registered and setup thru Zone Edit, with thier name servers. I have named my box gateway.example.com and have Zone Edit direct that name to my dynamic Ip that the broadband modem gives me.

    All the hosts inside the Private Ip zone are named:

    foo.gateway.example.com
    bar.gateway.example.com

    What I really want is
    foo.example.com
    bar.example.com

    I know that I have to make gateway.example.com a name server, and that any requests for foo.example.com must be served by gateway.example.com and not example.com For the life of me, I cannot get this to happen.. Perhaps I cannot because of the private Ip's, or that I haven't set the Zone Edit servers as a slave???
    (I haven't a clue on how to do that, and the documentation is clear as mud)

    All I do know, is that it works as foo.gateway.example.com, but not foo.example.com, and I really... REALLY want it to work that way..

    Secondly, I want to have my own root.hints, and not forward my dns requests to my ISP.

    (I may consider OPENDNS or some other dns provider, as my ISP is considering use of a Phorm like solution. The only problem is I cannot get it to work without the forwards.. )

    Here is the copy of my named.conf
    Code:
    acl example-com {192.168.0.0/24; 127.0/8;};
    options {
    
    allow-query {example-com;};
    
    forwarders { XXX.XXX.XXX.XXX; XXX.XXX.XXX.XX;  }; #IP of upstream ISP nameserver(s)
    forward only; 
    
    	directory "/var/named/chroot/var/named"; // the default
    	dump-file 		"data/cache_dump.db";
            statistics-file 	"data/named_stats.txt";
            memstatistics-file 	"data/named_mem_stats.txt";
    
    };
    logging 
    {
            channel default_debug {
                    file "data/named.run";
                    severity dynamic;
            };	
    };
    
    key ddns_key
    {
    	algorithm hmac-md5;
    	secret "My RNDC Key Goes Here";
    };
    
    
    # Forward Zone for gateway.example.com domain
    zone "gateway.example.com" IN {
    type master;
    file "gateway.example.com.zone";
    };
    
    # Reverse Zone for gateway.example.com domain
    zone "0.168.192.in-addr.arpa" IN {
    type master;
    file "192.168.0.zone";
    };
    This is my zone file for gateway.example.com.zone
    Code:
    $TTL 1D
    
    gateway.example.com. IN SOA gateway.example.com. support.example.com. (
    200612060 ; serial
    2H ; refresh slaves
    5M ; retry
    1W ; expire
    1M ; Negative TTL
    )
    
    @ IN NS gateway.example.com.
    
    gateway.example.com. IN A 192.168.0.1 ; CentOs server
    voipgate.gateway.example.com. IN A 192.168.0.5 ; VOIP network gate
    office.gateway.example.com. IN A 192.168.0.10 ; Office Computer
    foo.gateway.example.com. IN A 192.168.0.15 ; MediaCenter
    bar.gateway.example.com. IN A 192.168.0.20 ; CobaltSvr Rack3
    
    ; aliases
    www IN CNAME gateway.example.com. ; WWW server
    virtual IN CNAME gateway.example.com ; virtual WWW tests
    mail IN CNAME gateway.example.com ; mail tests host
    
    ; DHCP Clients
    dhcp00.gateway.example.com. IN A 192.168.0.100
    dhcp01.gateway.example.com. IN A 192.168.0.101
    dhcp02.gateway.example.com. IN A 192.168.0.102
    dhcp03.gateway.example.com. IN A 192.168.0.103
    dhcp04.gateway.example.com. IN A 192.168.0.104
    dhcp05.gateway.example.com. IN A 192.168.0.105
    dhcp06.gateway.example.com. IN A 192.168.0.106
    dhcp07.gateway.example.com. IN A 192.168.0.107
    dhcp08.gateway.example.com. IN A 192.168.0.108
    dhcp09.gateway.example.com. IN A 192.168.0.109
    dhcp10.gateway.example.com. IN A 192.168.0.110
    
    @ IN MX 10 mail.gateway.example.com.
    Here is the 192.168.0.zone

    Code:
    $TTL 1D
    
    @ IN SOA gateway.example.com. support.example.com. (
    200612060 ; serial
    2H ; refresh slaves
    5M ; retry
    1W ; expire
    1M ; Negative TTL
    )
    
    @  IN NS gateway.example.com.
    1  IN PTR gateway.example.com 
    5  IN PTR voipgate.gateway.example.com 
    10 IN PTR office.gateway.example.com 
    15 IN PTR foo.gateway.example.com 
    20 IN PTR bar.gateway.example.com 
    
    100 IN PTR dhcp00.gateway.example.com 
    101 IN PTR dhcp01.gateway.example.com
    102 IN PTR dhcp02.gateway.example.com
    103 IN PTR dhcp03.gateway.example.com
    104 IN PTR dhcp04.gateway.example.com
    105 IN PTR dhcp05.gateway.example.com
    106 IN PTR dhcp06.gateway.example.com
    107 IN PTR dhcp07.gateway.example.com
    108 IN PTR dhcp08.gateway.example.com
    109 IN PTR dhcp09.gateway.example.com
    110 IN PTR dhcp10.gateway.example.com
    Finally this is the copy of the example.com zone from Zone Edit
    Code:
    $ORIGIN .
    $TTL 7200	; 2 hours
    example.com		IN SOA	ns3.zoneedit.com. soacontact.zoneedit.com. (
    				1222185848 ; serial
    				14400      ; refresh (4 hours)
    				7200       ; retry (2 hours)
    				950400     ; expire (1 week 4 days)
    				7200       ; minimum (2 hours)
    				)
    			NS	ns3.zoneedit.com.
    			NS	ns8.zoneedit.com.
    $TTL 300	; 5 minutes
    			A	XXX.XXX.XXX.XXX
    $TTL 7200	; 2 hours
    			MX	0 ASPMX.L.GOOGLE.COM.
    			MX	5 ALT1.ASPMX.L.GOOGLE.COM.
    			MX	10 ALT2.ASPMX.L.GOOGLE.COM.
    			MX	10 ASPMX2.GOOGLEMAIL.COM.
    			MX	15 ASPMX3.GOOGLEMAIL.COM.
    			TXT	"v=spf1 include:aspmx.googlemail.com ~all"
    			RP	gjdunga.example.com. example.com.
    $ORIGIN example.com.
    admin			CNAME	wfb.zoneedit.com.
    
    $TTL 300	; 5 minutes
    ftp			A	XXX.XXX.XXX.XXX
    gateway		A	XXX.XXX.XXX.XXX
    www			A	XXX.XXX.XXX.XXX
    Please help, with what I need to do to get this working.. If I need to post more information, please let me know.. I've been working on this for some time, and every time i learn something new.

    Again, thank you in advance, please be kind on the newb.

    Gabriel Dungan

  2. #2
    Super Moderator Roxoff's Avatar
    Join Date
    Aug 2005
    Location
    Nottingham, England
    Posts
    3,865
    You need to specify your zone like this:

    Code:
    # Forward Zone for gateway.example.com domain
    zone "example.com" IN {
    type master;
    file "gateway.example.com.zone";
    };
    i.e., remove your 'gateway.example.com' from the name the DNS server sees.

    This will mean changing your zone files to include names like this:

    Code:
    dhcp00.example.com. IN A 192.168.0.100
    May I also suggest that you add the all-important '.' at the end of entries in your reverse-lookups file. You'll need to edit these anyway to look like this:

    Code:
    100 IN PTR dhcp00.example.com.
    All this should make things work the way you want, i.e. it will solve the problem. But I'd like to make another suggestion that may provide a more secure fix.

    Looking at your network you're running your firewall/gateway on the same machine as your essential services (asterisk, web server, etc.) and this presents a security risk - if anyone tries to hack your network and succeeds, they immediately have access to your core system.

    You may want to consider moving your DNS/DHCP/Firewall service off out to another machine. This'll free server resources, and will allow you configure these services in isolation (i.e. on a machine with no regular users on it). I use this configuration and I use a smoothwall box to do the firewalling (i.e. an old pc with two network cards in it), which sits between my network and the big nasty internet. This allows the firewall to be configured by the experts, which leaves me free to do the important stuff with the services provided by the server.
    Linux user #126863 - see http://linuxcounter.net/

  3. #3
    Just Joined!
    Join Date
    Aug 2008
    Location
    Penrose, Colorado
    Posts
    5
    I've used smoothwall before, when i wasn't running any services at home, and enjoyed its use.

    However I've found that when you have a problem, the people over at smoothwall are nasty vile little creatures who would rather belittle one than help...

    That's why I took the leap, and tried other solutions like IPCOP and even Clark Connect before i decided that i needed to do this for myself and "Build it".

    I'm aware of the Security precautions, and I was going to move some of the services over to "bar" as i have obtained a cobalt raq 3 that i was going to house either the LAMP + mail or the shorewall.

    The problem is first i need to wrap my little head around this, and get it to work, before i get all fancy.. because i can't even get simple.

    See the problem I'm having, is that when i create office.example.com and then try dig it. It's not listed on the zone-edit DNS
    and therefor non reachable!!!!! if i say office.gateway.example.com it forces zone-edit to look at my DNS on the system at home.. I don't know how (and or am not comfortable) in making the zone-edit a Slave to my dns, but if i have to do that, how do i get past the private ip issue?

    That's what i'm trying to get my head around.
    Last edited by gjdunga; 10-13-2008 at 04:31 PM. Reason: to add details to my update

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •