[KLUG Members] Split zone DNS with dual DNS servers

Bob Kanaley members@kalamazoolinux.org
Fri, 30 Aug 2002 12:02:09 -0400

Previous message: [KLUG Members] Re: Members digest, Vol 1 #594 - 6 msgs
Next message: [JSpamFilter] [KLUG Members] Re: Members digest, Vol 1 #594 - 6 msgs
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Peter,

I faced a similar situation with DNS when I took over as system admin ~2
years ago.

In my case, I inherited a single DNS zone that contained both LAN IP
adresses in the Class C 192.168.0.0/24 network, the authoritative external
DNS records for my externally hosted website and the MX record for my SMTP
server that was on my LAN.

The setup Bruce and Adam are describing is called a split zone DNS with dual
DNS servers. I went one step further in that I put my external services in a
DMZ and run my Bind and SMTP services chrooted (I think the newer versions
of BIND may drop priveleges while running).

To set this up, I used a couple of articles from Linux Journal by Nick Bauer
(Paranoid Penguin, March 2001 issue), David A. Ranch's TrinityOS: A Guide to
Configuring Your Linux Server for Performance, Security, and Managability
http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS/cHTML/TrinityOS-c-24.ht
ml, a lot of DNS doc's (The Bind Operators Guide is an excellent reference)
and Rob Thomas's Secure BIND Template
http://www.cymru.com/Documents/secure-bind-template.html

The methods each person use are slightly different, but from some of your
comments on this list, I am sure you will be able to handle it.

I implemented an LRP NAT firewall with a DMZ. My split zone, external
chrooted DNS and SMTP server (Postfix) sits in the DMZ and only has records
for my public services (WWW, NS, MX).

The firewall rules are setup so nothing can get from the DMZ to the LAN.

I have an external logging computer sitting in the DMZ that nobody can see,
but I can use to monitor the external DNS/SMTP server. If anyone were to
crash either named or SMTPd, they are stuck in a chrooted jail and I can
read all about it on my external logger in the DMZ.

For the LAN clients to get their email off the SMTP I run stunnel on the
SMTP server so the LAN clients access their email via secure POP3s.

Hope some of that helps.

Bob

Robert V. Kanaley
Manager Information Systems
Agdia, Inc.
rvk@agdia.com
http://www.agdia.com

Date: Fri, 30 Aug 2002 11:08:01 -0400
To: members@kalamazoolinux.org
Subject: Re: [KLUG Members] LAN's and DNS
From: Peter Buxton <peter@killdevil.org>
Reply-To: members@kalamazoolinux.org

On Fri, Aug 30, 2002 at 10:57:30AM -0400, Bruce Smith wrote:

> I was confused for a minute, but I see your web server is hosted by an
> external company.

Yup! Sorry, I had that in mind as I was writing it (obviously, heh) and
*utterly* forgot to put it to pap--... uh, keyboard. Electrons?

Either way, I just wanted to make sure I wasn't ignoring the One True
Way to maintain a NAT'ed LAN name system. Or, for that matter, any
_better_ way. Thanks!

--
http://www.killdevil.org/~peter

Previous message: [KLUG Members] Re: Members digest, Vol 1 #594 - 6 msgs
Next message: [JSpamFilter] [KLUG Members] Re: Members digest, Vol 1 #594 - 6 msgs
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]