DNS and NAT config question.

Hello,

I am running Bind 9.2.1 on RH9. I've run into an interesting configuration issue/design that I cant quite figure out.

My network consists of a public side, and a private site. All of my servers (DNS, email, httpd, etc.) have been on the public side, so it was straightforward to have all DNS entries resolve to publically viewable IP's.

Now I have setup a server on the inside. This server will be mapped across NAT to a public IP..

I'm trying to figure out if there is a way to have the name resolve to an private IP, if sourced from the inside, and the public IP if sourced from the outside.

Right now I am using hosts files to circumvent the issue, but I'd ike to only have to worry about 1 name database if there was a change, rather than 25 or so host files

My only thought was to setup another DNS server for the inside, and configure it to resolve those servers, and forward all other requests to the outside DNS servers. This of course leads to more admin overhead, as there is 1 or 2 more servers to monitor and maintain.

Any other thoughts or ideas on how to accomplish this?

Thanks for any and all feedback.

I really need to put a tutorial in the server setup post about this. BIND offers a solution in the form of "views". Here's my server configuration. Notice how I put it to use.

http://www.dollardns.net/bind/advanced/named.conf

I used match-destination, but you can also use CIDR network values in matching the source.

Ok.. After doing some research, I *think* I understand the concept of views.. Let me know if my logic is correct.

The 'view' will be created outside of the current zone blocks. In that view I will define the match-client IP, and create a new zone file for that view. In that zone file, I will create the records I need, for my inside address's.. Is that right?


Attached is an example of my thinking.. All clients from 66.63.110.59 (my nat'ed address) will be served records from the file 'server-testing.com.zone-inside' file. Everyone else will be from server-testing.com.zone?

And lastly, how will this affect resolution of the other zones, from 66.63.110.59, that my server is authoritative for?

you almost got the right idea. However, if you're using views, ALL zone blocks must be inside of a view. So you'll need at least 2 view blocks, a public and a private. Each public zone goes into the public view. Each private zone goes into the private view. Each public AND private zone goes into both - each with their own zone file.

match-clients is what you want. match-clients needs a value of a CIDR network for the private view. match-clients needs a value of "any;" for the public view.

Thanks.. That makes sense..

Am I correct in assuming that order is important? Meaning I need to list the private viewfirst.. If I list the 'match-client { any }' (public view) first, that would take precedence?

good question, but you can make things explicit.

private match-clients example:

match-clients { 192.168/16; };

public match-clients example:

match-clients { !192.168/16; any; };

The IP ruleset (as I call them) definately matters in term of order. The first rule that matches an IP is acted upon, so I had a negating rule before the any rule.

But as for whether view order matters, I don't know, I'd have to look it up. That's why I used match-destinations, cause it was very clear on how it would perform.

Cool.. Thanks for the help.