Next: Sendmail Up: DNS Previous: Changes on the

Changes on the Internal Root Nameserver(s)

First, create a special version of the cache file for your internal root nameservers. This special file will not contain references to the Internet root nameservers like the one on your G Box. Rather, this file contains only a reference to the nameserver running on the G Box. Here is an example (be sure to substitute your G Box's hostname and IP address):

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
; initial cache data for internal root domain servers
;
;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
. 99999999 IN NS gbox.your.domain
gbox.your.domain 99999999 IN A 123.45.67.89

As we shall see below, the objective of using this abbreviated cache file on your internal root nameserver(s) is to keep it ignorant about the DNS system in the outside (Internet) world and to force it to query your G Box to resolve hostnames that it cannot otherwise resolve.

Second, create the named.boot file on your internal root nameserver(s) with the forwarders flag. Here is an example:

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
; named.boot file for Internal root nameserver
;
primary your.domain db.domain
primary 987.654.321.in-addr.arpa db.123.456.789
primary 0.0.127.in-addr.arpa db.127.0.0
forwarders 123.45.67.89 ; IP address of G Box
cache . named.cache ; file with limited cache data

See your DNS documentation for the format of the files we've named db-something in this example.

Note here that the internal root nameserver is designated as the primary nameserver for your domain. You will recall that the named.boot file on the G Box also designates it (the G Box) as your domain's primary server. Both are correct in this configuration. To your internal hosts, the internal root nameserver is in fact primary for your domain. To the Internet at large, however, you have presented only a limited picture of your secured network, but have also presented the G Box nameserver as your primary nameserver. In other words, you are purposely presenting incomplete information about your network to the outside world, while keeping the complete information private with the internal root nameserver.

The third step in setting up your dual-level DNS system is to create all your other DNS database files (the db.something files noted above) on your internal root nameserver(s), as you normally would, listing all the hosts in your domain. Create these files in exactly the way your DNS documentation instructs you. Setting up these files enables your internal nameservers to resolve all internal hostnames without having to ask the nameserver on the G Box for help. Tools to help you set up your DNS database files include h2n, a set of perl (Practical Extraction and Report Language) scripts which converts your /etc/hosts file to DNS database files. Perl is a freely distributable package, available at most major anonymous ftp sites). H2n is available via anonymous ftp from ftp.uu.net in directory /published/oreilly/nutshell/dnsbind. HP-UX users can use the HP- specific tool hosts_to_named to accomplish the same objective.

Last, create the resolv.conf file on your internal root nameservers), like this:

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
; resolv.conf file for the internal root nameserver
;
domain your.domain
nameserver 127.0.0.1 #this machine
nameserver 123.56.76.123 #IP address of other internal root nameserver
nameserver 123.45.67.89 #IP address of G Box

This last step enables your internal nameserver(s) to query that on the G Box for names not locally resolvable (i.e., hostnames outside the internal, protected network). Note that this setup causes your internal root nameserver to query itself first, then any other internal root nameserver (if you have installed more than one), and, finally, the G Box.

As a final step, copy the resolv.conf file from your internal root nameserver to all of your internal clients, deleting the 127.0.0.1 line.

For more information on setting up internal root nameservers, see Chapter 14 of DNS and BIND in a Nutshell, written by Paul Albitz and Cricket Liu, published by O'Reilly and Associates, ISBN 1-56592-010-4.

One further note on DNS configuration. The Eagle software is compiled with the resolv+ hostname lookup routines by Bill Wisner, which use /etc/host.conf to decide the order of name resolution. Accordingly, the Eagle-supplied versions of telnet and ftp, along with the internal hostname resolution software that is part of the Eagle, will follow the order of lookup specified in /etc/host.conf. If for some reason you want to change the default order of name resolution, create the /etc/host.conf file with your desired resolution sequence.



Next: Sendmail Up: DNS Previous: Changes on the


tkevans@delmarva.com