BIND9 on multiple subnets

Wed Aug 4 12:21:51 CDT 2004

jeremy at linuxwebguy.com wrote:

> Hi all,
> 
> I'm working on setting up my own DNS server, but I ran into an issue that
> I can't quite kick.
> 
> I've got the BIND9 server inside an internal LAN.  The box itself only has
> one Ethernet port which is on the 192.168.0.0/24 subnet.  I currently have
> the DNS server setup to serve internal hosts and it works beautifully.
> 
> But... my gateway to the outside world does port-forwarding to my server,
> but I don't have the DNS port(s) setup to forward to it yet.  I want
> requests made from the outside world to resolve to the real Internet IP,
> but requests made from the local LAN to resolve to the internal IP, since
> the external IPs won't quite work right.
> 
> The closest help I could find was where the DNS server was running *on* a
> gateway, and to setup two instances of BIND9, one to respond on each of
> the Ethernet ports.  I don't have that option.
> 
> Could I possibly do it by IP?  All requests coming from the gateway IP
> resolve the external IPs, and all else resolve to the internal IPs?
> 
> Confused but not afraid to break things,

As others have mentioned, running your own DNS may not be the right 
answer for your network, but if you want to implement the above setup, 
there's no need for two DNS servers now that bind9 supports views.

You can specify which zone data is served to a requesting client based 
on the client's IP address.  The following named.conf snippet implements 
a unique view for the 'newtek.com' name space for local systems, with 
all other namespaces having a single default view (external)

view "internal" {

     match-clients { 207.235.84.0/22; };
     recursion yes;

     zone "newtek.com" in {
         type master ;
         file "newtek.com-internal" ;
     };
};

view "external" {

     match-clients { any; };
     recursion yes;

     zone "." in {
         type hint ;
         file "named.root" ;
     };

zone "newtek.com" in {
     type master ;
     file "newtek.com-external" ;
     also-notify { 66.88.8.236; 204.17.217.13; 204.57.66.2; };
     notify yes;
};

<other normal zone definitions follow>

I even have the zone data for newtek.com mostly in one file that gets 
included by the -internal and -external files...that way, I only have to 
seperately maintain the IPs that really need to be differnet.

FYI:  This setup is used mainly to provide remote ssh-based access to 
internal systems for traveling sales guys.  I have some internal systems 
(like intranet.newtek.com) resolve to private IP's inside the firewalls 
if you're on the local network.  If you're outside the local network on 
the internet somewhere, you get 127.0.0.1 for the IP.  There's a putty 
ssh shortcut on the desktop of the marketroids laptops which connects 
them to the internal network and port-forwards the appropriate services.

NOTE: To pull this trick with more than one internal website, 
port-forward via ssh to a transparent proxy on the internal 
network...works like a champ!

-- 
Charles Steinkuehler
charles at steinkuehler.net