Newbie: Please check my configuration files to make sure I won't bring down DNS
Manuel McLure
I'm not doing anything that would cause problems - I've read the DNS
and BIND group, and asked a couple of questions, but I just want to make
sure that I understand the book and answers properly.
My setup is as follows: I have registered "mclure.org" as my domain name
(right now it points to domaindiscover's nameservers). I have one machine
with a static IP address of 64.81.20.149 with name "leng.mclure.org" that
will be visible to the outside and will run my nameserver. This machine
is also a firewall/NAT gateway with an internal address of 10.1.1.1. I
want to provide two zones: "mclure.org" will be visible from the Internet
and will consist only of "leng.mclure.org" (with some CNAME records) -
slave DNS for "mclure.org" will be done by ns1.speakeasy.net (IP address
216.254.0.9). My ISP will take care of the reverse DNS (64.81.20.149 to
"leng.mclure.org").
I also want to maintain a zone "internal.mclure.org" for the machines
on the internal masqueraded network (10.1.1/24). There will be no slave
DNS for "internal.mclure.org" (it's not worth it for three machines),
and it will not be visible from the Internet. The DNS server is also
serving as a caching server for all the internal machines.
I *think* the following files will do the trick, but I want to make
sure. One thing that worries me is that even though "ns1.speakeasy.net" is
listed in an NS record, I don't see where I can put an A record for it (is
it necessary to put in an A record for all machines listed in NS records?)
Another worry is that I don't have any delegation records from mclure.org
to internal.mclure.org. Since the same DNS server is serving both domains,
I don't *think* I need one, but...
I would really appreciate having the DNS gurus check these files over
before I start up a DNS server and screw up horribly. What am I missing?
Here are the files:
------------------------ /etc/named.conf ----------------------------------
options {
directory "/var/named";
allow-transfer {
10.1.1/24;
};
allow-query {
10.1.1/24;
};
allow-recursion {
10.1.1/24;
};
};
zone "." {
type hint;
file "root.cache";
};
zone "mclure.org" {
type master;
file "zone/mclure.org.db";
allow-transfer {
216.254.0.9;
};
allow-query {
any;
};
zone "internal.mclure.org" {
type master;
file "zone/internal.mclure.org.db";
allow-transfer {
10.1.1/24;
};
allow-query {
10.1.1/24;
};
};
zone "1.1.10.IN-ADDR.ARPA" {
type master;
file "zone/10.1.1.db";
allow-transfer {
10.1.1/24;
};
allow-query {
10.1.1/24;
};
};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "zone/127.0.0.db";
allow-transfer {
10.1.1/24;
};
allow-query {
10.1.1/24;
};
};
---------------------------------------------------------------------------
--------------- /var/named/zone/10.1.1.db ---------------------------------
$TTL 86400
@ IN SOA leng.internal.mclure.org. root.leng.internal.mclure.org. (
2000062200 ; serial
28800 ; refresh
7200 ; retry
604800 ; expire
86400 ; default_ttl
)
@ IN NS leng.internal.mclure.org.
2 IN PTR ulthar.internal.mclure.org.
3 IN PTR roach.internal.mclure.org.
1 IN PTR leng.internal.mclure.org.
---------------------------------------------------------------------------
--------------- /var/named/zone/127.0.0.db --------------------------------
$TTL 86400
@ IN SOA leng.internal.mclure.org. root.leng.internal.mclure.org. (
2000062004 ; serial
28800 ; refresh
7200 ; retry
604800 ; expire
86400 ; default_ttl
)
@ IN NS leng.internal.mclure.org.
1 IN PTR localhost
---------------------------------------------------------------------------
--------------- /var/named/zone/internal.mclure.org.db --------------------
$TTL 86400
@ IN SOA leng.internal.mclure.org. root.leng.internal.mclure.org. (
2000062004 ; serial
28800 ; refresh
7200 ; retry
604800 ; expire
86400 ; default_ttl
)
localhost IN A 127.0.0.1
ulthar IN A 10.1.1.2
ulthar IN HINFO "Celeron" "Linux 2.2.14"
roach IN A 10.1.1.3
roach IN HINFO "AMD K6-3" "Windows 98"
leng IN HINFO "Pentium MMX" "Linux 2.2.14"
news IN CNAME leng
mail IN CNAME leng
leng IN A 10.1.1.1
@ IN NS leng.internal.mclure.org.
---------------------------------------------------------------------------
--------------- /var/named/zone/mclure.org.db -----------------------------
$TTL 86400
@ IN SOA leng.mclure.org. root.leng.mclure.org. (
2000062004 ; serial
28800 ; refresh
7200 ; retry
604800 ; expire
86400 ; default_ttl
)
leng IN HINFO "Pentium MMX" "Linux 2.2.14"
news IN CNAME leng
mail IN CNAME leng
www IN CNAME leng
leng IN A 64.81.20.149
@ IN NS leng.mclure.org.
IN NS ns1.speakeasy.net.
IN MX 0 leng.mclure.org.
leng.mclure.org. IN MX 0 leng.mclure.org.
---------------------------------------------------------------------------
Thanks!
--
Manuel A. McLure KE6TAW | ...for in Ulthar, according to an ancient
<man...@mclure.org> | and significant law, no man may kill a cat.
<http://www.mclure.org> | -- H.P. Lovecraft
Maurizio Cimaschi
On Sat, Jul 29, 2000 at 04:49:51PM +0000, Manuel McLure wrote:
> I also want to maintain a zone "internal.mclure.org" for the machines
> on the internal masqueraded network (10.1.1/24). There will be no slave
I think it's better "internal."
> zone "internal.mclure.org" {
> type master;
> file "zone/internal.mclure.org.db";
> allow-transfer {
> 10.1.1/24;
> };
> allow-query {
> 10.1.1/24;
> };
> };
I'll change to:
zone "internal." {
type master;
file "zone/internal.db";
allow-transfer {
10.1.1/24;
};
allow-query {
10.1.1/24;
};
};
> --------------- /var/named/zone/10.1.1.db ---------------------------------
> $TTL 86400
> @ IN SOA leng.internal.mclure.org. root.leng.internal.mclure.org. (
> 2000062200 ; serial
> 28800 ; refresh
> 7200 ; retry
> 604800 ; expire
> 86400 ; default_ttl
> )
> @ IN NS leng.internal.mclure.org.
> 2 IN PTR ulthar.internal.mclure.org.
> 3 IN PTR roach.internal.mclure.org.
> 1 IN PTR leng.internal.mclure.org.
> ---------------------------------------------------------------------------
I'll change to:
--------------- /var/named/zone/10.1.1.db ---------------------------------
$TTL 86400
@ IN SOA leng.mclure.org. root.leng.mclure.org. (
2000062200 ; serial
28800 ; refresh
7200 ; retry
604800 ; expire
86400 ; default_ttl
)
@ IN NS leng.internal.
2 IN PTR ulthar.internal.
3 IN PTR roach.internal.
1 IN PTR leng.internal.
---------------------------------------------------------------------------
> --------------- /var/named/zone/127.0.0.db --------------------------------
> $TTL 86400
> @ IN SOA leng.internal.mclure.org. root.leng.internal.mclure.org. (
> 2000062004 ; serial
> 28800 ; refresh
> 7200 ; retry
> 604800 ; expire
> 86400 ; default_ttl
> )
> @ IN NS leng.internal.mclure.org.
> 1 IN PTR localhost
!! The trailing DOT !!
> ---------------------------------------------------------------------------
--------------- /var/named/zone/127.0.0.db --------------------------------
$TTL 86400
@ IN SOA leng.mclure.org. root.leng.mclure.org. (
2000062004 ; serial
28800 ; refresh
7200 ; retry
604800 ; expire
86400 ; default_ttl
)
@ IN NS leng.internal.
1 IN PTR localhost.
---------------------------------------------------------------------------
> --------------- /var/named/zone/internal.mclure.org.db --------------------
> $TTL 86400
> @ IN SOA leng.internal.mclure.org. root.leng.internal.mclure.org. (
> 2000062004 ; serial
> 28800 ; refresh
> 7200 ; retry
> 604800 ; expire
> 86400 ; default_ttl
> )
> localhost IN A 127.0.0.1
> ulthar IN A 10.1.1.2
> ulthar IN HINFO "Celeron" "Linux 2.2.14"
> roach IN A 10.1.1.3
> roach IN HINFO "AMD K6-3" "Windows 98"
> leng IN HINFO "Pentium MMX" "Linux 2.2.14"
> news IN CNAME leng
> mail IN CNAME leng
> leng IN A 10.1.1.1
> @ IN NS leng.internal.mclure.org.
> ---------------------------------------------------------------------------
--------------- /var/named/zone/internal.db --------------------
$TTL 86400
@ IN SOA leng.mclure.org. root.leng.mclure.org. (
2000062004 ; serial
28800 ; refresh
7200 ; retry
604800 ; expire
86400 ; default_ttl
)
@ IN NS leng.mclure.org.
localhost IN A 127.0.0.1
ulthar IN A 10.1.1.2
ulthar IN HINFO "Celeron" "Linux 2.2.14"
roach IN A 10.1.1.3
roach IN HINFO "AMD K6-3" "Windows 98"
leng IN HINFO "Pentium MMX" "Linux 2.2.14"
news IN CNAME leng
; mail IN CNAME leng
; in fact there's is no MX record for internal, so why a such RR ??
leng IN A 10.1.1.1
---------------------------------------------------------------------------
> --------------- /var/named/zone/mclure.org.db -----------------------------
> $TTL 86400
> @ IN SOA leng.mclure.org. root.leng.mclure.org. (
> 2000062004 ; serial
> 28800 ; refresh
> 7200 ; retry
> 604800 ; expire
> 86400 ; default_ttl
> )
> leng IN HINFO "Pentium MMX" "Linux 2.2.14"
> news IN CNAME leng
> mail IN CNAME leng
I'would comment this, in fact it's not an error: but simply I don't like.
> www IN CNAME leng
> leng IN A 64.81.20.149
> @ IN NS leng.mclure.org.
> IN NS ns1.speakeasy.net.
> IN MX 0 leng.mclure.org.
> leng.mclure.org. IN MX 0 leng.mclure.org.
While the sub-domain leng has a A record, the last RR is not nedeed.
--
Ciao, Maurizio.
Manuel McLure
>
>On Sat, Jul 29, 2000 at 04:49:51PM +0000, Manuel McLure wrote:
>> I also want to maintain a zone "internal.mclure.org" for the machines
>> on the internal masqueraded network (10.1.1/24). There will be no slave
>
>I think it's better "internal."
>
Why? Is there any requirement that the internal zone not be a subdomain of
an external zone? Is it to avoid the requirement of adding a glue record?
[SNIP]
Oops - you're right. I've fixed that.
leng.internal.mclure.org will be a POP/IMAP server for the internal machine,
I want people to be able to get to it as "mail.internal.mclure.org".
>
>> --------------- /var/named/zone/mclure.org.db -----------------------------
>> $TTL 86400
>> @ IN SOA leng.mclure.org. root.leng.mclure.org. (
>> 2000062004 ; serial
>> 28800 ; refresh
>> 7200 ; retry
>> 604800 ; expire
>> 86400 ; default_ttl
>> )
>> leng IN HINFO "Pentium MMX" "Linux 2.2.14"
>> news IN CNAME leng
>> mail IN CNAME leng
>
>I'would comment this, in fact it's not an error: but simply I don't like.
>
>> www IN CNAME leng
>> leng IN A 64.81.20.149
>> @ IN NS leng.mclure.org.
>> IN NS ns1.speakeasy.net.
>> IN MX 0 leng.mclure.org.
>> leng.mclure.org. IN MX 0 leng.mclure.org.
>
>While the sub-domain leng has a A record, the last RR is not nedeed.
I'm following the DNS and BIND book, which suggests adding an MX record
for each mail host pointing to itself.
Maurizio Cimaschi
On Sun, Jul 30, 2000 at 04:19:22PM +0000, Manuel McLure wrote:
> >I think it's better "internal."
> Why? Is there any requirement that the internal zone not be a subdomain of
> an external zone? Is it to avoid the requirement of adding a glue record?
In this case you don't say to the world that you have an internal lan.
> >While the sub-domain leng has a A record, the last RR is not nedeed.
> I'm following the DNS and BIND book, which suggests adding an MX record
> for each mail host pointing to itself.
At pag.94 it seems that a particoular MTA may have some problem when the
MX record misses; in fact RFC 974 states (pag. 4/5):
It is possible that the list of MXs in the response to the query will
be empty. This is a special case. If the list is empty, mailers
should treat it as if it contained one RR, an MX RR with a preference
value of 0, and a host name of REMOTE. (I.e., REMOTE is its only
MX). In addition, the mailer should do no further processing on the
list, but should attempt to deliver the message to REMOTE. The idea
that if a domain fails to advertise any information about a
particular name we will give it the benefit of the doubt and attempt
delivery.
I think that this means that every host is the mailer exchange for itself.
--
Ciao, Maurizio.
Manuel McLure
>
>On 29 Jul 2000 14:36:16 -0700, m...@ulthar.private (Manuel McLure) wrote:
>
>>------------------------ /etc/named.conf ----------------------------------
>>options {
>> directory "/var/named";
>> allow-transfer {
>> 10.1.1/24;
>> };
>
If I decide to add a slave nameserver in my internal net I might. I should
probably set this to "allow-transfer { none; };" until that happens.
>> allow-query {
>> 10.1.1/24;
>> };
>You're only going to allow queries from your internal net?
>
I want only "mclure.org" to be queried from outside - and I have an
"allow-query { any; };" for that zone. So I'm setting the restriction
as a default.
>>zone "internal.mclure.org" {
>> type master;
>> file "zone/internal.mclure.org.db";
>> allow-transfer {
>> 10.1.1/24;
>if you're not running a server on the internal net, then you won't be doing transfers.
Yeah - I'll set this to "allow-transfer { none; };" unless I add
a slave internally.
[SNIP]
>>zone "0.0.127.IN-ADDR.ARPA" {
>> type master;
>> file "zone/127.0.0.db";
>> allow-transfer {
>> 10.1.1/24;
>> };
>You won't transfer this, 127.0.0.1 is the LOCALHOST (each machine is it's own localhost)
>> allow-query {
>> 10.1.1/24;
>> };
>You won't query this from another machine either.
I'm making sure I protect against incorrectly set up nsswitch.conf files on
the clients.
[SNIP]
>>--------------- /var/named/zone/mclure.org.db -----------------------------
>>$TTL 86400
>>@ IN SOA leng.mclure.org. root.leng.mclure.org. (
>> 2000062004 ; serial
>> 28800 ; refresh
>> 7200 ; retry
>> 604800 ; expire
>> 86400 ; default_ttl
>> )
>>leng IN HINFO "Pentium MMX" "Linux 2.2.14"
>>news IN CNAME leng
>>mail IN CNAME leng
>>www IN CNAME leng
>>leng IN A 64.81.20.149
>>@ IN NS leng.mclure.org.
>> IN NS ns1.speakeasy.net.
>> IN MX 0 leng.mclure.org.
>>leng.mclure.org. IN MX 0 leng.mclure.org.
>@ IN A 64.81.20.149
>For good measure. :-)
That way "mclure.org" will resolve to the same address as "leng.mclure.org",
right?
>
>Looks pretty good and I'm sure I might have missed something <g>. Fire it up and check for errors. You won't break anything with
>these files.
>
>BTW, what does your resolv.conf file look like?
Like this:
domain internal.mclure.org
search internal.mclure.org
nameserver 10.1.1.1
Manuel McLure
>
>On Sun, Jul 30, 2000 at 04:19:22PM +0000, Manuel McLure wrote:
>> >I think it's better "internal."
>> Why? Is there any requirement that the internal zone not be a subdomain of
>> an external zone? Is it to avoid the requirement of adding a glue record?
>
internal.mclure.org is query-restricted to only the inside machines.
>
>
>> >While the sub-domain leng has a A record, the last RR is not nedeed.
>> I'm following the DNS and BIND book, which suggests adding an MX record
>> for each mail host pointing to itself.
>
>
>At pag.94 it seems that a particoular MTA may have some problem when the
>MX record misses; in fact RFC 974 states (pag. 4/5):
>
> It is possible that the list of MXs in the response to the query will
> be empty. This is a special case. If the list is empty, mailers
> should treat it as if it contained one RR, an MX RR with a preference
> value of 0, and a host name of REMOTE. (I.e., REMOTE is its only
> MX). In addition, the mailer should do no further processing on the
> list, but should attempt to deliver the message to REMOTE. The idea
> that if a domain fails to advertise any information about a
> particular name we will give it the benefit of the doubt and attempt
> delivery.
>
>
>I think that this means that every host is the mailer exchange for itself.
I think you're probably right, but it doesn't seem to hurt, so I'll leave
it in in case someone with a broken MTA tries to send me email :-)