Skip site navigation (1)Skip section navigation (2) 
Date:      11 May 1999 08:51:14 -0400
From:      Matt Curtin <cmcurtin@interhack.net>
To:        zulkarnain <zul@unsyiah.ac.id>
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: 2 networks, 1 DNS
Message-ID:  <xlxaevblqgt.fsf@gold.cis.ohio-state.edu>
In-Reply-To: zulkarnain's message of "Tue, 11 May 1999 12:39:56 %2B0000 (GMT)"
References:  <Pine.BSF.4.05.9905111204170.21917-100000@pinto.unsyiah.ac.id>
next in thread | previous in thread | raw e-mail | index | archive | help 
>>>>> On Tue, 11 May 1999 12:39:56 +0000 (GMT),
     zulkarnain <zul@unsyiah.ac.id> said:

zul> As shown above, my network is made by 2 network.How do I put both
zul> of it into one DNS ?

You don't, unless that zone will *never* be loaded by the outside,
i.e., by putting the nameserver on a machine that only has one of the
private addresses.

Never ever ever ever ever ever ever ever ever ever ever ever ever ever
put RFC 1918 addresses in a zone that will be loaded "in the wild".

If those addresses do "bleed" to the outside, there will be all manner 
of bizarre problems created.  Folks trying to get mail to the hosts
that you have in the DNS might well have hosts whose addresses
conflict.  And those hosts might well be running SMTP service.  Mail
intended for you would go to their machine with the private address,
which would claim not to be your host, and the mail would bounce.

What's even worse is that by putting in multiple A records is that
this behavior won't be consistent.  It will appear to work
approximately half of the time.

I strongly recommend splitting the DNS, putting your private addresses
in one zone that will not be available to the outside and your public
addresses in another, public, zone.

It isn't entirely clear what your architecture looks like in terms of
packet filtering, and who can reach whom directly, but in any case,
that's what you'll need to do.  How exactly to do that will depend on
your configuration.  Chapman and Zwicky's "Building Internet
Firewalls" has plenty of examples of various DNS architecture
options. 

Some additional hints are found in the Internet Firewalls FAQ:
http://www.interhack.net/pubs/fwfaq/#head_howdns. 

-- 
Matt Curtin cmcurtin@interhack.net http://www.interhack.net/people/cmcurtin/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xlxaevblqgt.fsf>