BIND9 on multiple subnets

Gerald Combs gerald at zing.org
Sun Aug 1 23:47:25 CDT 2004 

jeremy at linuxwebguy.com wrote:
> Hi all,
> 
> I'm working on setting up my own DNS server, but I ran into an issue that
> I can't quite kick.
> 
> I've got the BIND9 server inside an internal LAN.  The box itself only has
> one Ethernet port which is on the 192.168.0.0/24 subnet.  I currently have
> the DNS server setup to serve internal hosts and it works beautifully.
> 
> But... my gateway to the outside world does port-forwarding to my server,
> but I don't have the DNS port(s) setup to forward to it yet.  I want
> requests made from the outside world to resolve to the real Internet IP,
> but requests made from the local LAN to resolve to the internal IP, since
> the external IPs won't quite work right.
> 
> The closest help I could find was where the DNS server was running *on* a
> gateway, and to setup two instances of BIND9, one to respond on each of
> the Ethernet ports.  I don't have that option.
> 
> Could I possibly do it by IP?  All requests coming from the gateway IP
> resolve the external IPs, and all else resolve to the internal IPs?
> 
> Confused but not afraid to break things,

There are several ways to achieve this.

"Industry best practices" dictate that you have a minimum of two public
_and_ private DNS servers.  This requires an equipment investment, but
it's robust and easy to manange.  We do this where I work, and it's what
we recommend (strongly) to our clients.

Failing that, you _do_ have the option of running multiple BIND
instances on your server.  You can assign a secondary IP address (which
doesn't require a second adapter) and use the "listen-on" configuration
directive to control which address each instance of BIND, um, "binds"
to.  Internal clients would send their queries to the primary address,
and the firewall would direct inbound DNS requests to the secondary
address.

You can serve the public addresses of your servers that are available on
the outside, and when private clients try to connnect to those
addresses, use your firewall to redirect traffic appropriately.  This is
a hack, and adds an extra hop for your internal client-server traffic.
It also chews up bandwith on your firewall's internal interface since
each client-server packet hits that interface twice.

You could buy a PIX, and use the "alias" command to rewrite the
addresses DNS responses on the wire, assuming your DNS servers are in a
separate DMZ:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml

BTW, how many outside DNS servers do you have?  Most (all?) regsitrars
force you to specifiy at least two when you register a domain.

More information about the Kclug mailing list