There are a couple other features that might make your life easier...
You can define a grouping of addresses into an acl, so refering to them
later is simple. You define it like this, outside of any other block:
acl friends {
127.0.0.1/32;
192.168.XX.XX/24; #Internal Net
65.35.XX.XX/32; #External IP
65.35.XX.XX/32; #IP of a friend of mine I allow access to
};
All the rest of these go in the options block, or in a particular zone
statement if you want to define things different for specific zones...
You should set who is allowed to query your box. Hiding behind a firewall
makes this sort of redundant, but it makes me feel better. :)
allow-query { friends; };
Another option that's nice during testing is allowing zone transfers to your
trusted IPs. It makes it a lot easier to spot errors in your zone files.
One misplaced . can make a world of difference.
allow-transfer { friends; };
You mentioned having some trouble with your ISPs DNS before. If you add the
following, it will try to ask the defined servers first, and then go out and
get the info itself if that doesn't work. You may not want your box sending
DNS packets all around the net, but I like having a seamless backup. :)
forward first;
forwarders { 65.32.1.70; 65.32.2.130; };
recursion yes;
allow-recursion { friends; };
I also added this one to stifle DNS scanners looking for particular versions
that may have vulnerablilites. I think bind by default spits out the full
version info whenever someone connects to it. Again, moot point behind a
firewall...
version "BIND 9";
DNS is a typical *nix beast, so it can be as simple or complex as it needs
to be to do the job. I'd really recommend a read through the docs at
bind.org.
Oh, I almost forgot... Once you get things up, you can do an easy test with
dig, as long as you defined the zone-transfer directive. This spits out
just about everything it knows about a particular zone:
[ken@mocha ken]$ dig [zone] axfr
Note that [zone] can be anything you have defined as a zone statement, like
"yourdomain.com" or "0.168.192.in-addr.arpa" for a reverse lookup zone.
Hope some of this helps you. I'm no bind guru, so if I'm giving bad advice,
someone please let me know! :)
-Ken
-----Original Message-----
From: slug@lists.nks.net [mailto:slug@lists.nks.net]On Behalf Of Robert
Haeckl
Sent: Thursday, February 07, 2002 11:51 AM
To: slug@nks.net
Subject: Re: [SLUG] Telnet and the Internet
These are about as simple as you can get. The named.conf file tells
your nameserver where to go to get info. It has an _options_ block, a
_._ block for the root nameservers, a localhost block, and
lookup/reverse_lookup blocks for your private network. You stick the two
forward statements in the _options_ block to forward outside lookups to
your ISP nameservers. The other blocks just tell the server what files
to look at for info. The named.root and named.local files are usually
provided for you.
You have to make your own lookup/reverse_lookup files, but just
cut-and-replace with the db.192.168.20 and db.cc files provided. You
can rename them, just make sure the file names match what is listed in
named.conf. The contents are almost self-explanatory. If you have a
mail server, you need to add an _MX_ record for it. If any machines
have alternate names (e.g. www), add a _CNAME_ record. Put the files in
the /var/named directory or wherever you state in the _options_ section
of named.conf.
That's it. Any trouble, you know where the HOWTO's are. Remember to
update host.conf, nsswitch.conf and resolv.conf files on each computer.
Use the utility
_nslookup_ to see if, in fact, your resolver libraries are using your
nameserver and if it works.
-Robert
Paul M Foster wrote:
>
> On Wed, Feb 06, 2002 at 11:36:37PM -0500, Robert Haeckl wrote:
>
> > Setting up DNS on a small private network with static IP's would involve
> > setting up dns lookup and dns reverse lookup files for your network, and
> > adding zone block statements for your network to the named.conf file
> > along with a forwarding statement. The forwarding statement directs
> > your nameserver to forward everything except lookups for your network to
> > your ISP's nameservers. If having some template files to
> > cut-and-replace would help, I can send you a copy of old ones of mine.
> >
>
> Send away.
>
> Thanks,
>
> Paul
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 15:49:12 EDT