Advice Required Regarding DNS

[gjdunga]

First of all, I'm a novice, so I apologize in advance if some of my theory is rusty.

I'm currently using CentOS
2.6.18-92.1.13.el5 #1 SMP i686 athlon i386 GNU/Linux

I have my box, running at home. I use it as a firewall, (Shorewall) for the computers here, and as a asterisk box. I am also hosting my personal website on the box, and want to eventually move my mail from a third party server over to my own box. I run DHCPD to issue private IP's to the hosts within my firewalled network, and use NAT & masquerading to let them talk to the world.

This box is connected to the internet by a broadband connection, and it's IP is assigned via DHCP thru the ISP.

I'm using ZoneEdit to dynamically update the domain I point to the box, via ddclient..

I have what I think is the correct setup, but I'm not happy with the configuration, and need some advice about what to do..

I'll use example.com to protect the innocent.

I have example.com registered and setup thru Zone Edit, with thier name servers. I have named my box gateway.example.com and have Zone Edit direct that name to my dynamic Ip that the broadband modem gives me.

All the hosts inside the Private Ip zone are named:

foo.gateway.example.com
bar.gateway.example.com

What I really want is
foo.example.com
bar.example.com

I know that I have to make gateway.example.com a name server, and that any requests for foo.example.com must be served by gateway.example.com and not example.com For the life of me, I cannot get this to happen.. Perhaps I cannot because of the private Ip's, or that I haven't set the Zone Edit servers as a slave???
(I haven't a clue on how to do that, and the documentation is clear as mud)

All I do know, is that it works as foo.gateway.example.com, but not foo.example.com, and I really... REALLY want it to work that way..

Secondly, I want to have my own root.hints, and not forward my dns requests to my ISP.

(I may consider OPENDNS or some other dns provider, as my ISP is considering use of a Phorm like solution. The only problem is I cannot get it to work without the forwards.. )

Here is the copy of my named.conf

Code:

acl example-com {192.168.0.0/24; 127.0/8;};
options {

allow-query {example-com;};

forwarders { XXX.XXX.XXX.XXX; XXX.XXX.XXX.XX;  }; #IP of upstream ISP nameserver(s)
forward only; 

	directory "/var/named/chroot/var/named"; // the default
	dump-file 		"data/cache_dump.db";
        statistics-file 	"data/named_stats.txt";
        memstatistics-file 	"data/named_mem_stats.txt";

};
logging 
{
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };	
};

key ddns_key
{
	algorithm hmac-md5;
	secret "My RNDC Key Goes Here";
};


# Forward Zone for gateway.example.com domain
zone "gateway.example.com" IN {
type master;
file "gateway.example.com.zone";
};

# Reverse Zone for gateway.example.com domain
zone "0.168.192.in-addr.arpa" IN {
type master;
file "192.168.0.zone";
};

This is my zone file for gateway.example.com.zone

Code:

$TTL 1D

gateway.example.com. IN SOA gateway.example.com. support.example.com. (
200612060 ; serial
2H ; refresh slaves
5M ; retry
1W ; expire
1M ; Negative TTL
)

@ IN NS gateway.example.com.

gateway.example.com. IN A 192.168.0.1 ; CentOs server
voipgate.gateway.example.com. IN A 192.168.0.5 ; VOIP network gate
office.gateway.example.com. IN A 192.168.0.10 ; Office Computer
foo.gateway.example.com. IN A 192.168.0.15 ; MediaCenter
bar.gateway.example.com. IN A 192.168.0.20 ; CobaltSvr Rack3

; aliases
www IN CNAME gateway.example.com. ; WWW server
virtual IN CNAME gateway.example.com ; virtual WWW tests
mail IN CNAME gateway.example.com ; mail tests host

; DHCP Clients
dhcp00.gateway.example.com. IN A 192.168.0.100
dhcp01.gateway.example.com. IN A 192.168.0.101
dhcp02.gateway.example.com. IN A 192.168.0.102
dhcp03.gateway.example.com. IN A 192.168.0.103
dhcp04.gateway.example.com. IN A 192.168.0.104
dhcp05.gateway.example.com. IN A 192.168.0.105
dhcp06.gateway.example.com. IN A 192.168.0.106
dhcp07.gateway.example.com. IN A 192.168.0.107
dhcp08.gateway.example.com. IN A 192.168.0.108
dhcp09.gateway.example.com. IN A 192.168.0.109
dhcp10.gateway.example.com. IN A 192.168.0.110

@ IN MX 10 mail.gateway.example.com.

Here is the 192.168.0.zone

Code:

$TTL 1D

@ IN SOA gateway.example.com. support.example.com. (
200612060 ; serial
2H ; refresh slaves
5M ; retry
1W ; expire
1M ; Negative TTL
)

@  IN NS gateway.example.com.
1  IN PTR gateway.example.com 
5  IN PTR voipgate.gateway.example.com 
10 IN PTR office.gateway.example.com 
15 IN PTR foo.gateway.example.com 
20 IN PTR bar.gateway.example.com 

100 IN PTR dhcp00.gateway.example.com 
101 IN PTR dhcp01.gateway.example.com
102 IN PTR dhcp02.gateway.example.com
103 IN PTR dhcp03.gateway.example.com
104 IN PTR dhcp04.gateway.example.com
105 IN PTR dhcp05.gateway.example.com
106 IN PTR dhcp06.gateway.example.com
107 IN PTR dhcp07.gateway.example.com
108 IN PTR dhcp08.gateway.example.com
109 IN PTR dhcp09.gateway.example.com
110 IN PTR dhcp10.gateway.example.com

Finally this is the copy of the example.com zone from Zone Edit

Code:

$ORIGIN .
$TTL 7200	; 2 hours
example.com		IN SOA	ns3.zoneedit.com. soacontact.zoneedit.com. (
				1222185848 ; serial
				14400      ; refresh (4 hours)
				7200       ; retry (2 hours)
				950400     ; expire (1 week 4 days)
				7200       ; minimum (2 hours)
				)
			NS	ns3.zoneedit.com.
			NS	ns8.zoneedit.com.
$TTL 300	; 5 minutes
			A	XXX.XXX.XXX.XXX
$TTL 7200	; 2 hours
			MX	0 ASPMX.L.GOOGLE.COM.
			MX	5 ALT1.ASPMX.L.GOOGLE.COM.
			MX	10 ALT2.ASPMX.L.GOOGLE.COM.
			MX	10 ASPMX2.GOOGLEMAIL.COM.
			MX	15 ASPMX3.GOOGLEMAIL.COM.
			TXT	"v=spf1 include:aspmx.googlemail.com ~all"
			RP	gjdunga.example.com. example.com.
$ORIGIN example.com.
admin			CNAME	wfb.zoneedit.com.

$TTL 300	; 5 minutes
ftp			A	XXX.XXX.XXX.XXX
gateway		A	XXX.XXX.XXX.XXX
www			A	XXX.XXX.XXX.XXX

Please help, with what I need to do to get this working.. If I need to post more information, please let me know.. I've been working on this for some time, and every time i learn something new.

Again, thank you in advance, please be kind on the newb.

Gabriel Dungan

[Roxoff]

You need to specify your zone like this:

Code:

# Forward Zone for gateway.example.com domain
zone "example.com" IN {
type master;
file "gateway.example.com.zone";
};

i.e., remove your 'gateway.example.com' from the name the DNS server sees.

This will mean changing your zone files to include names like this:

Code:

dhcp00.example.com. IN A 192.168.0.100

May I also suggest that you add the all-important '.' at the end of entries in your reverse-lookups file. You'll need to edit these anyway to look like this:

Code:

100 IN PTR dhcp00.example.com.

All this should make things work the way you want, i.e. it will solve the problem. But I'd like to make another suggestion that may provide a more secure fix.

Looking at your network you're running your firewall/gateway on the same machine as your essential services (asterisk, web server, etc.) and this presents a security risk - if anyone tries to hack your network and succeeds, they immediately have access to your core system.

You may want to consider moving your DNS/DHCP/Firewall service off out to another machine. This'll free server resources, and will allow you configure these services in isolation (i.e. on a machine with no regular users on it). I use this configuration and I use a smoothwall box to do the firewalling (i.e. an old pc with two network cards in it), which sits between my network and the big nasty internet. This allows the firewall to be configured by the experts, which leaves me free to do the important stuff with the services provided by the server.

[gjdunga]

I've used smoothwall before, when i wasn't running any services at home, and enjoyed its use.

However I've found that when you have a problem, the people over at smoothwall are nasty vile little creatures who would rather belittle one than help...

That's why I took the leap, and tried other solutions like IPCOP and even Clark Connect before i decided that i needed to do this for myself and "Build it".

I'm aware of the Security precautions, and I was going to move some of the services over to "bar" as i have obtained a cobalt raq 3 that i was going to house either the LAMP + mail or the shorewall.

The problem is first i need to wrap my little head around this, and get it to work, before i get all fancy.. because i can't even get simple.

See the problem I'm having, is that when i create office.example.com and then try dig it. It's not listed on the zone-edit DNS
and therefor non reachable!!!!! if i say office.gateway.example.com it forces zone-edit to look at my DNS on the system at home.. I don't know how (and or am not comfortable) in making the zone-edit a Slave to my dns, but if i have to do that, how do i get past the private ip issue?

That's what i'm trying to get my head around.