From owner-freebsd-questions  Tue May 11  5:51:27 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from cis.ohio-state.edu (mail.cis.ohio-state.edu [164.107.115.5])
	by hub.freebsd.org (Postfix) with ESMTP id DECD4159BC
	for <freebsd-questions@FreeBSD.ORG>; Tue, 11 May 1999 05:51:25 -0700 (PDT)
	(envelope-from cmcurtin@cis.ohio-state.edu)
Received: from gold.cis.ohio-state.edu (cmcurtin@gold.cis.ohio-state.edu [164.107.112.16])
	by cis.ohio-state.edu (8.9.1/8.9.1) with ESMTP id IAA27289;
	Tue, 11 May 1999 08:51:15 -0400 (EDT)
Received: (from cmcurtin@localhost)
	by gold.cis.ohio-state.edu (8.9.1/8.9.1) id IAA17928;
	Tue, 11 May 1999 08:51:15 -0400 (EDT)
To: zulkarnain <zul@unsyiah.ac.id>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: 2 networks, 1 DNS
References: <Pine.BSF.4.05.9905111204170.21917-100000@pinto.unsyiah.ac.id>
X-Face: L"IcL.b%SDN]0Kql2b`e.}+i05V9fi\yX#H1+Xl)3!+n/3?5`%-SA-HDg<IT;O8XnF>Pk9uTk<3dv^J5DCgal)-E{`zN#*o6F|y>r)\<<ui53(fC)EM]42*oF|P@Hm"Z+GK%"b#q'ycf=2s5%NNR0S;8"vcNN"O;O}YpB{&^1xazqDMg^v!6LS7S"5|}2uTl$NKV5}Bkca{M|Y^cZD@{1
From: Matt Curtin <cmcurtin@interhack.net>
Date: 11 May 1999 08:51:14 -0400
In-Reply-To: zulkarnain's message of "Tue, 11 May 1999 12:39:56 +0000 (GMT)"
Message-ID: <xlxaevblqgt.fsf@gold.cis.ohio-state.edu>
Lines: 40
X-Mailer: Gnus v5.5/XEmacs 20.4 - "Emerald"
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

>>>>> On Tue, 11 May 1999 12:39:56 +0000 (GMT),
     zulkarnain <zul@unsyiah.ac.id> said:

zul> As shown above, my network is made by 2 network.How do I put both
zul> of it into one DNS ?

You don't, unless that zone will *never* be loaded by the outside,
i.e., by putting the nameserver on a machine that only has one of the
private addresses.

Never ever ever ever ever ever ever ever ever ever ever ever ever ever
put RFC 1918 addresses in a zone that will be loaded "in the wild".

If those addresses do "bleed" to the outside, there will be all manner 
of bizarre problems created.  Folks trying to get mail to the hosts
that you have in the DNS might well have hosts whose addresses
conflict.  And those hosts might well be running SMTP service.  Mail
intended for you would go to their machine with the private address,
which would claim not to be your host, and the mail would bounce.

What's even worse is that by putting in multiple A records is that
this behavior won't be consistent.  It will appear to work
approximately half of the time.

I strongly recommend splitting the DNS, putting your private addresses
in one zone that will not be available to the outside and your public
addresses in another, public, zone.

It isn't entirely clear what your architecture looks like in terms of
packet filtering, and who can reach whom directly, but in any case,
that's what you'll need to do.  How exactly to do that will depend on
your configuration.  Chapman and Zwicky's "Building Internet
Firewalls" has plenty of examples of various DNS architecture
options. 

Some additional hints are found in the Internet Firewalls FAQ:
http://www.interhack.net/pubs/fwfaq/#head_howdns. 

-- 
Matt Curtin cmcurtin@interhack.net http://www.interhack.net/people/cmcurtin/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message