|
|
< Day Day Up > |
|
Recipe 24.18. Configuring a Public BIND DNS Server24.18.1 ProblemYou've set up some servers (mail, web, FTP) that need to be accessible to the outside world. They need domain names, like www.oreilly.com, since you don't want people using IP addresses. You want to run your own DNS server to provide those names. Why? Perhaps you're not convinced your ISP is reliable, or perhaps you just like things under your own control. Or maybe you're just a glutton for punishment. Whatever the reason, you've decided to use BIND. So how do you make it go? 24.18.2 SolutionFollow the preparatory steps in Recipe 24.6. Table 24-3 shows the public servers for this recipe.
First of all, BIND needs a named.conf file: // named.conf for public services
// at windbag.net
options {
directory "/var/named";
allow-query { any; };
recursion no;
};
zone "." IN {
type hint;
file "named.root";
};
zone "localhost" IN {
type master;
file "zone.localhost";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "revp.127.0.0";
allow-update { none; };
};
zone "windbag.net" IN {
type master;
file "zone.net.windbag";
};
zone "239.201.208.in-addr.arpa" {
type master;
file "revp.208.201.239";
};Next, fetch a current copy of named.root from ftp://ftp.internic.net/domain, and put it in /var/named. Then create the zone files: zone.localhost, revp.127.0.0, zone.net.windbag, and revp.208.201.239. You can copy zone.localhost and revp.127.0.0 from Recipe Recipe 24.15. Here are sample zone.net.windbag and revp.208.201.239 files: // zone.net.windbag
// public dns zone for for windbag.net
;
$ORIGIN windbag.net.
$TTL 1D
; any time you make a change to the domain, bump the
; "serial" setting below. the format is easy:
; YYYYMMDDI, with the I being an iterator in case you
; make more than one change during any one day
@ IN SOA catmint hostmaster (
200405191 ; serial
8H ; refresh
4H ; retry
4W ; expire
1D ) ; minimum
; define the authoritative name server
NS catmint
; define domain functions with CNAMEs
ftp CNAME henbane
www CNAME henbane
; our hostnames, in alphabetical order
catmint A 208.201.239.45
henbane A 208.201.239.46And finally, here are the reverse lookups for the domain in the revp.208.201.239 file: ; revp.208.201.239
; reverse pointers for 208.201.239 subnet
;
$ORIGIN 239.201.208.in-addr.arpa.
$TTL 1D
@ IN SOA catmint.windbag.net. hostmaster.windbag.net. (
200405190 ; serial
28800 ; refresh (8 hours)
14400 ; retry (4 hours)
2419200 ; expire (4 weeks)
86400 ; minimum (1 day)
)
; define the authoritative name server
NS catmint.windbag.net.
; our hosts, in numeric order
45 PTR catmint.windbag.net.
46 PTR henbane.windbag.net.Stuff all these files into /var/named and restart BIND: # /etc/init.d/named restartYour new DNS server is now in business. 24.18.3 DiscussionRemember to use the syntax-checkers discussed in Recipe 24.17; the most common BIND problems are caused by typos. Never use the same BIND authoritative server for both private, internal hosts and public, external hosts. The outside world does not need a direct pipeline to workstations, private servers, networked printers, or other internal resources. Providing both private and public name services from the same DNS server is called "split horizon." With older versions of BIND, which no one should be using anyway, it's nearly impossible to implement a split horizon setup sanely. You're better off having two completely separate servers. BIND 9 introduces "views," which are supposed to make it easier to implement a split horizon setup. In my opinion, it's still easier and more secure to use two separate BIND servers for private and public hosts. The easiest way of all is to use djbdns (see Recipe 24.11 and Section 24.12). To learn more about BIND 9 views, see Chapter 10 of DNS and BIND, Fourth Edition, by those masters of BIND, Paul Albitz and Cricket Liu (O'Reilly). 24.18.4 See Also
|
|
|
< Day Day Up > |
|