Previous Section  < Day Day Up >  Next Section

Recipe 24.18. Configuring a Public BIND DNS Server

24.18.1 Problem

You've set up some servers (mail, web, FTP) that need to be accessible to the outside world. They need domain names, like www.oreilly.com, since you don't want people using IP addresses. You want to run your own DNS server to provide those names. Why? Perhaps you're not convinced your ISP is reliable, or perhaps you just like things under your own control. Or maybe you're just a glutton for punishment. Whatever the reason, you've decided to use BIND. So how do you make it go?

24.18.2 Solution

Follow the preparatory steps in Recipe 24.6. Table 24-3 shows the public servers for this recipe.

Table 24-3. Public servers

Address

Hostname

Role

Aliases

208.201.239.45

catmint

Public DNS

 

208.201.239.46

henbane

Public FTP, WWW

FTP, www


First of all, BIND needs a named.conf file:

// named.conf for public services

// at windbag.net

   

options {

     directory "/var/named";

     allow-query { any; };

     recursion no;

};

zone "." IN {

     type hint;

     file "named.root";

};

   

zone "localhost" IN {

  type master;

  file "zone.localhost";

  allow-update { none; };

};

   

zone "0.0.127.in-addr.arpa" IN {

  type master;

  file "revp.127.0.0";

  allow-update { none; };

};

zone "windbag.net" IN {

  type master;

  file "zone.net.windbag";

};

   

zone "239.201.208.in-addr.arpa" {

  type master;

  file "revp.208.201.239";

};

Next, fetch a current copy of named.root from ftp://ftp.internic.net/domain, and put it in /var/named.

Then create the zone files: zone.localhost, revp.127.0.0, zone.net.windbag, and revp.208.201.239. You can copy zone.localhost and revp.127.0.0 from Recipe Recipe 24.15.

Here are sample zone.net.windbag and revp.208.201.239 files:

// zone.net.windbag

// public dns zone for for windbag.net

;

$ORIGIN windbag.net.

$TTL 1D

; any time you make a change to the domain, bump the

; "serial" setting below. the format is easy:

; YYYYMMDDI, with the I being an iterator in case you

; make more than one change during any one day

@     IN SOA   catmint hostmaster (

                        200405191 ; serial

                        8H        ; refresh

                        4H        ; retry

                        4W        ; expire

                        1D )      ; minimum

; define the authoritative name server

                NS      catmint

; define domain functions with CNAMEs

ftp             CNAME   henbane

www             CNAME   henbane

; our hostnames, in alphabetical order

catmint             A       208.201.239.45

henbane             A       208.201.239.46

And finally, here are the reverse lookups for the domain in the revp.208.201.239 file:

;  revp.208.201.239

; reverse pointers for 208.201.239 subnet

;

$ORIGIN 239.201.208.in-addr.arpa.

$TTL 1D

@     IN SOA  catmint.windbag.net. hostmaster.windbag.net. (

              200405190  ; serial

              28800      ; refresh (8 hours)

              14400      ; retry (4 hours)

              2419200    ; expire (4 weeks)

              86400      ; minimum (1 day)

              )

; define the authoritative name server

          NS      catmint.windbag.net.

; our hosts, in numeric order

45         PTR        catmint.windbag.net.

46         PTR        henbane.windbag.net.

Stuff all these files into /var/named and restart BIND:

# /etc/init.d/named restart

Your new DNS server is now in business.

24.18.3 Discussion

Remember to use the syntax-checkers discussed in Recipe 24.17; the most common BIND problems are caused by typos.

Never use the same BIND authoritative server for both private, internal hosts and public, external hosts. The outside world does not need a direct pipeline to workstations, private servers, networked printers, or other internal resources.

Providing both private and public name services from the same DNS server is called "split horizon." With older versions of BIND, which no one should be using anyway, it's nearly impossible to implement a split horizon setup sanely. You're better off having two completely separate servers.

BIND 9 introduces "views," which are supposed to make it easier to implement a split horizon setup. In my opinion, it's still easier and more secure to use two separate BIND servers for private and public hosts. The easiest way of all is to use djbdns (see Recipe 24.11 and Section 24.12).

To learn more about BIND 9 views, see Chapter 10 of DNS and BIND, Fourth Edition, by those masters of BIND, Paul Albitz and Cricket Liu (O'Reilly).

24.18.4 See Also

  • named(5), named.conf(8)

  • Chapter 3 of The Bind 9 Administrator's Reference Manual (http://www.bind9.net/Bv9ARM.html)

  • Chapter 10 of DNS and BIND, Fourth Edition

  • Appendix C of TCP/IP Network Administration, Third Edition

    Previous Section  < Day Day Up >  Next Section