Date: Wed, 10 Sep 2008 18:17:51 -0600 From: Andrew Falanga <af300wsm@gmail.com> To: George Davidovich <freebsd@optimis.net> Cc: freebsd-questions@freebsd.org Subject: Re: mail server DNS configuration questions Message-ID: <48C863AF.4050908@gmail.com> In-Reply-To: <20080907055229.GA93793@marvin.optimis.net> References: <200809061928.28539.af300wsm@gmail.com> <20080907055229.GA93793@marvin.optimis.net>
next in thread | previous in thread | raw e-mail | index | archive | help
George Davidovich wrote: > On Sat, Sep 06, 2008 at 07:28:28PM -0600, Andrew Falanga wrote: > >> Well, my clients at church are still having issues and after working with >> George, a respondant to my original questions, I think that most, if not all, >> of my problems are related to DNS and how we've got it improperly configured. >> >> First, a crude drawing of how our mail server exists in the world: >> >> 192.168.2.x/24 72.24.23.252 "lot's of networks" >> Private Network <--> CableOne <--> Internet >> >> Now, our mail server's IP is 192.168.2.23. On the router, he (the person at >> whose house the mail server is) has IP forwarding setup so that mail get's >> sent to our FreeBSD machine. Using dig, here's the responses: >> >> (from my FBSD machine at home, not the server) >> [/usr/home/andy] -> dig +short -t MX whitneybaptist.org >> 10 mail.whitneybaptist.org. >> [/usr/home/andy] -> dig +short -t A whitneybaptist.org >> 72.24.34.252 >> [/usr/home/andy] -> dig +short -x 72.24.34.252 >> 34-252.72-24-cpe.cableone.net. >> >> (from the church FBSD machine) >> [/home/afalanga] -> hostname >> whitbap >> [/home/afalanga] -> ifconfig fxp0 >> fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 >> options=8<VLAN_MTU> >> inet 192.168.2.23 netmask 0xffffff00 broadcast 255.255.255.255 >> ether 00:d0:b7:74:87:48 >> media: Ethernet autoselect (100baseTX <full-duplex>) >> status: active >> [/home/afalanga] -> cat /etc/resolv.conf >> search McCutchanLAN >> nameserver 192.168.2.1 >> >> It doesn't take a rocket scientist, or a computer scientist, to figure out >> we've got DNS issues. I'm thinking that I should setup a domain within the >> 192.168.2.0/24 network on this box. I've done this before, at work. The >> question I've got is I've never actually integrated a domain like this to a >> domain on the Internet. I'm thinking that we'll setup something like: >> internal.whitneybaptist.org with hosts in that sub-domain. >> >> So, what would my DNS tables need to look like to make this happen. Also, to >> any knowledgable souls here, what RFCs address these issues? >> > > Hello again, Andy. > > What you're asking is actually a FAQ, but I'll spell things out anyway. > The following excerpt from RFC 1918 is most relevant: > > If an enterprise uses the private address space, or a mix of > private and public address spaces, then DNS clients outside of > the enterprise should not see addresses in the private address > space used by the enterprise, since these addresses would be > ambiguous. One way to ensure this is to run two authority > servers for each DNS zone containing both publically and > privately addressed hosts. One server would be visible from the > public address space and would contain only the subset of the > enterprise's addresses which were reachable using public > addresses. The other server would be reachable only from the > private network and would contain the full set of data, > including the private addresses and whatever public addresses > are reachable the private network. In order to ensure > consistency, both servers should be configured from the same > data of which the publically visible zone only contains a > filtered version. There is certain degree of additional > complexity associated with providing these capabilities. > > That's a roundabout way of saying you can't "mix and match" private > non-routable addresses with public addresses in the same namespace. > > Note the "authoritative" part. Until CableOne delegates your assigned > netblock to your organisation, your public DNS server will not be > authoritative (it currently isn't!) for 72.24.34.252. You can reference > RFC 2317 (classless in-addr.arpa delegation) for how that works. As to > why you must be authoritative, I've already pointed out off-list how Bad > Things can happen when you're not, especially in regards to email where > reverse lookups are integral to How Things Work. > I could be wrong, but I think they've done something like this. I administered DNS on an OpenBSD machine (2 of them actually) back in 2000-2001. Since then, I've done nothing with DNS administration. I'm wondering what I need to get from CableOne to get this done. Here's the result of a dig, on that mail server, for the IP address 72.24.34.252: [/home/afalanga] -> dig -x 72.24.34.252 ; <<>> DiG 9.3.3 <<>> -x 72.24.34.252 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19747 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;252.34.24.72.in-addr.arpa. IN PTR ;; ANSWER SECTION: 252.34.24.72.in-addr.arpa. 86333 IN PTR 34-252.72-24-cpe.cableone.net. ;; AUTHORITY SECTION: 24.72.in-addr.arpa. 75566 IN NS NS1.cableone.net. 24.72.in-addr.arpa. 75566 IN NS NS2.cableone.net. ;; ADDITIONAL SECTION: NS1.cableone.net. 3507 IN A 24.116.0.201 NS2.cableone.net. 69544 IN A 24.116.0.202 ;; Query time: 16 msec ;; SERVER: 192.168.2.1#53(192.168.2.1) ;; WHEN: Wed Sep 10 19:53:27 2008 ;; MSG SIZE rcvd: 154 Notice that the answer section points to 34-252.72-24-cpe.cableone.net. I don't remember the exact syntax but the delegation that our ISP did for this, according to RFC 2317 (thanks by the way), looked very similar to that. I wonder what it is they're doing. > As for other RFCs, I'd suggest instead starting with a careful reading > of the Bind ARM at http://www.isc.org/sw/bind/, followed by a once-over > of the Bind FAQ, and possibly the FreeBSD-supplied configuration files. > To save you some time, the following abbreviated context-specific > examples should explain things more clearly and get you started: > > Example 1: Two domains and two separate (sets of) name servers: > > On the ns.whitneybaptist.org machine: > > zone "whitneybaptist.org" { > type master; > file "master/whitneybaptist.org"; > }; > zone "252.34.24.72.in-addr.arpa" { > type master; > file "master/db.72.24.34.252"; > }; > > On the ns.internal.whitneybaptist.org machine: > > zone "internal.whitneybaptist.org" { > type master; > file "master/internal.whitneybaptist.org"; > }; > zone "1.168.192.in-addr.arpa" { > type master; > file "master/db.192.168.1"; > }; > > # slave whitneybaptist.org zones here > > The contents of /etc/resolv.conf for internal hosts: > > domain internal.whitneybaptist.org > nameserver 192.168.1.X > > > Example 2: One domain and a single (set of) name server(s) employing > Bind's "view" feature: > > acl "lan_hosts" { 192.168.1/24; 192.168.2/24; }; > > key "external" { > algorithm hmac-md5; > secret "XXXXXXX=="; > }; > > view "internal" { > match-clients { !key external; lan_hosts; }; > allow-recursion { lan_hosts; }; > > zone "whitneybaptist.org" { > type master; > file "master/whitneybaptist.org.internal"; > }; > zone "1.168.192.in-addr.arpa" { > type master; > file "master/db.192.168.1"; > }; > > view "external" { > match-clients { key external; any; }; > recursion no; > > zone "whitneybaptist.org" { > type master; > file "master/whitneybaptist.org.external"; > }; > zone "252.34.24.72.in-addr.arpa" { > type master; > file "master/db.72.24.34.252"; > }; > > The contents of /etc/resolv.conf for internal hosts: > > domain whitneybaptist.org > nameserver 72.24.34.252 > > # Note: if 'nameserver' is NAT-ed, you'd use its > # internal address instead > > You'll have to decide for yourself which approach works best for you. > > - If you opt for 2 domains, you'll need to reconfigure all your > internal hosts, and then add more machines to serve up DNS for those > hosts. > > - If you opt for one domain and use Bind's view feature, you can leave > your internal hosts alone (assuming they're already part of the > whitneybaptist.org domain) and skip the requirement for additional > machines, but your DNS configuration will be a little more complex. > > Thanks. I think I'm finally starting to wrap my mind around this and I'm on the right track. Andy
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48C863AF.4050908>