topic Re: DNS config in Operating System - HP-UX

DNS config

Fred Martin_1 — Tue, 30 Oct 2001 14:32:32 GMT

I have posted similar questions some time ago but now can't seem to locate them via search, here.

Here's my situation. I have a single network, with many PC hosts and one unix server running sendmail. Currently all hosts use a name server out on the internet to resolve names.

I am setting up DNS on the unix server. I want my DNS to resolve all local names, and then defer to the outside DNS server when the local can't resolve.

My internet provider has the zone files for my domain name, but we only have one public address (NAT is used) and all incoming MX packets are passed to my unix server.

I do not want my internal hosts to be known to the outside.

Questions:

1. Am I correct in thinking that my DNS server will be a primary master for my domain, and be the SOA?

2. What configuration in DNS tells the thing when and where to go get DNS info from the outside DNS server, if the request is not resolved locally?

3. When I run hosts_to_named, it puts an MX record in the db file for every host. Only the unix server receives mail, should those other MX records be removed?

Re: DNS config

Sachin Patel — Tue, 30 Oct 2001 14:51:36 GMT

Hi Fred,
1. yes your unix box can be primary server. You are on correct path.
2. forwarder ip_address_of_internet_provider
statment on optinn clause in /etc/named.conf file will take care the forwardig issue. For example
options {
check-names master ignore;
check-names response ignore;
check-names slave ignore;
directory "/usr/local/named";
forwarders {
IP_of_ISP;
};
};
3. you can set your dns server as primary mail server and point all hosts to there. you need MX entry in db file with you dns name. example
IN MX 20 server1.vdgc.com.

*use bind8.2.3 or bind9.x do not use old bind4.x.

In your client systems you just need
/etc/resolv.conf file with following two entry
doamin domain_name
nameserver ip_of_server1

Sachin

Re: DNS config

Sridhar Bhaskarla — Tue, 30 Oct 2001 14:54:48 GMT

1. Yes. Your name server will be the primary for your domain.
2. db.root file that has the information about the root servers will take care of DNS resolutions outside your domain.
3. Not required. But if you are particular you can use -m switch to specify the weight of your unix server. If you don't want, you can specify -M along with hosts_to_named command line not to create MX records for each host.

-Sri

Re: DNS config

Uday_S_Ankolekar — Tue, 30 Oct 2001 14:55:38 GMT

Hello,

Your concepts on DNS are correct, But I suggest you to read following link.

http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/J2776-90008/J2776-90008_top.html&con=/hpux/onlinedocs/J2776-90008/00/00/20-con.html&toc=/hpux/onlinedocs/J2776-90008/00/00/20-toc.html&searchterms=DNS&queryid=20011030-065719

Goodluck,
-USA..

Re: DNS config

Uday_S_Ankolekar — Tue, 30 Oct 2001 14:59:04 GMT

Hi, Again,
Also see this document

http://us-support.external.hp.com/cki/bin/doc.pl/sid=ca2a21501578a76a36/screen=ckiSearchResults?mode=id&searchString=KBAN00000292

-USA..

Re: DNS config

Bernie Vande Griend — Tue, 30 Oct 2001 16:06:49 GMT

Your DNS server will be the primary. If you do not want your domain to be known by the outside world, it probably won't work to rely on the root servers and usually in this situation you are behind a firewall. There are some options in which using the root servers will work, but IMO they're not appropriate for internal DNS configurations.

We use forwarders to our ISP or outside DNS server.

If you are using named.conf, this should look like:

options { directory "/var/named"; forward only; forwarders { IPOFYOURISP;
SECONDARYIPOFYOURISP;
}; };

Then in your definition of your internal domain, you might want to use a forwarders {}; option so that lookups within your domain that fail are not forwarded and it also makes it possible to have subdomains for your internal domain. This is assuming you are using at least BIND 8.2.2
Example:

zone "mydomain" {
type master;
file db.mydomain;
forwarders {};
};

I highly recommend getting the book DNS&Bind 4th Edition from O'Reilly. Anyone playing with DNS should have a copy.

Re: DNS config

Fred Martin_1 — Tue, 30 Oct 2001 18:43:43 GMT

Thank you all; you've helped me conquer some fears and I'll go ahead and set it up. I have the O'Reilly DNS book here to refer to as well so I should be in good shape. If I have troubles though, I'll be back :)

Re: DNS config

Fred Martin_1 — Wed, 07 Nov 2001 14:18:22 GMT

Ok I'm back. I set up DNS and it all worked very well, when I used debug to follow some trails it showed that name resolutions were properly forwarded, etc.

One thing though, my sendmail configuration is a little complex, and DNS needs to be configured to match.

sendmail has been told to accept mail for three domains, and my internet provider is passing incoming MX packets for all three names on to my unix server for sendmail.

Additionally, sendmail is converting outgoing mail for certain users so that mail appears to be coming from one domain or the other, depending on the user (via maildrops etc).

The effect is that for one public IP address we appear to be three companies with seperate mail servers, three domains.

This all works fine - except for DNS, which now needs to resolve all three domain names to the same address, for -internal- calls to DNS.

Before I set up DNS, it was resolved easily in the hosts file with aliases:

theserver domain1.com domain2.com

But the hosts_to_named script gave an error on the qualified domains-as-aliases and did not bring them into the DNS database.

So now an internal user sends mail to john@domain2.com --- internal DNS can't resolve, forwards it to outside DNS server, gets the public IP address returned, and mails an internal email to the outide public IP.

Would prefer that all three domains get a return from my internal DNS, showing the private IP address of the sendmail server.

Sorry for being so verbose, any assistance woudl be appreciated.

Re: DNS config

Kevin Wright — Wed, 07 Nov 2001 19:08:43 GMT

an alias in DNS is called a CNAME record. You can have unlimited number of aliases for a hostname. One hostname is the primary, so it has the PTR records pointing to it, and all the others are CNAME records. Do not point your MX record at a CNAME however, this is not recommended.

Re: DNS config

Fred Martin_1 — Wed, 07 Nov 2001 19:27:49 GMT

I understand you can have CNAMEs for hosts in a domain; but what I'm talking about is an alias for the domain - so I'm not sure that CNAMEs apply.

For example, in the file: domain1.com

sales01 IN A 192.10.10.10
sales1 IN CNAME sals01.domain1.com

That's what you refer to.

But I'm trying to get

domain1.com
domain2.com
domain3.com

...all to resolve to the same address. I meant this to be for email only but I suppose that could be extended to mean that:

sales01.domain1.com
sales01.domain2.com
sales01.domain3.com

...would also resolve to the same address (since they really are the same host).

Re: DNS config

Fred Martin_1 — Thu, 08 Nov 2001 14:24:40 GMT

Ok that line above should read:

For example, in the file: db.domain1.com

Also I'm sorry now that I have a rabbit symbol on this issue as I'd like some input on the last few posts. Need my local DNS server to resolve three domain names to the same address before going to a forwarder for resolution.

Re: DNS config

Kevin Wright — Thu, 08 Nov 2001 15:57:03 GMT

You should have a separate zone file for each of your domains..so why don't you just point the A records to the same IP??

Re: DNS config

Fred Martin_1 — Thu, 08 Nov 2001 18:41:23 GMT

Ok, verify this for me then. So in /etc/named.data I would need the following files (for example):

db.127.0.0
db.192.10.10
db.domain1
db.domain2
db.domain3
db.cache

Right now my named.boot has entries like this:

primary 0.0.127.IN-ADDR-ARPA db.127.0.0
primary domain1.com db.domain1
primary 10.10.192.IN-ADDR-ARPA db.192.10.10
forwarders 000.000.000.000
cache . db.cache

Would I just add two more lines for domain2 and domain3?

And, would the db.domain1, db.domain2, and db.domain3 files look nearly the same, since they are physically the same hosts?

Re: DNS config

Kevin Wright — Thu, 08 Nov 2001 18:47:50 GMT

basically, yes. You need separate SOA zone files for your different domains. so add them to named.conf, then add the files to /var/named. You can simply copy db.domain1 to db.domain2 and 3, but delete all the other host records that you don't need and change the origin. You should just need the @ record in the new files. Point this @ record to the same IP's.
Then test with nslookup, host.domain1, host.domain2 and host.domain3 will all point to the same IP.

Re: DNS config

Fred Martin_1 — Thu, 08 Nov 2001 20:23:41 GMT

Ok I'll give that a try. I will post the status here after I try it out.

By the way, I notice that many of the messages here refer to BIND 8, I called HP and asked - since I am running HP-UX 10.20 they recommend BIND 4.9.7 with patch PHNE_23277, not BIND 8. I understand that there were some security issues with BIND 4, but that is what HP recommended.

Re: DNS config

Kevin Wright — Thu, 08 Nov 2001 21:59:14 GMT

Bind 4.9.7 is pretty secure, just ancient. I suggest you compile 8.2.3 (at least), but you need the full ansi C compiler to do this.

Re: DNS config

Fred Martin_1 — Thu, 08 Nov 2001 22:32:18 GMT

Well all seems to be going pretty well. I did not need three zone files though - I have one zone file:

db.domain1

And, in the named.boot file these three lines:

primary domain1.com db.domain1
primary domain2.com db.domain1
primary domain3.com db.domain1

I was glad this worked; it means I only change one zone file instead of three, when an address change occurs. By doing this, the postmaster authority is the same for all three etc, but in my case this is acceptable.

Thanks for your assistance Kevin and those above, well done.