Send this
RSS
Internal/External DNS
This is a technical write-up on my experience setting up an internal/external DNS using two Xen DOMUs running NetBSD 4.0.1 and BIND 9.4.2-P2. The internal domain (i.fourings.com) is secure and not accessible from the internet while the external (fourings.com) is located in the DMZ and accessible for queries via it's IPv4/6 addresses.
Goal/Requirements
I've set out to split out my internal/external DNS zones to run on two different host. Internal will only be accessible to the trusted network (via IPv4/6) while the external server will be in the DMZ and accessible from internet via IPv4/6. The internal server will be authoritative for the zone 'i.fourings.com' and the external server will be authoritative for 'fourings.com'.
I already have two NetBSD Xen DOMUs that I will use for this purpose. The external host has been allocated only 64MB RAM and this has proven to be more than sufficient. I'm running NetBSD 4.0.1 and kernel version XEN3_DOMU from the installation disk. The provided version of BIND is 9.4.2-P2 and is being run chrooted.
Lastly, was management and I've previously used 'nsupdate' to perform remote zone modifications. The great thing about nsupdate is changes are made without the need to send a SIGHUP to the bind named daemon. The first thing was to create a TSIG key with the 'dnssec-key' command and transfer that key to the DNS servers and give the key rights to make zone modifications.
Zone Files/Configuration
External Zone A Records
;<<>> DiG 9.4.2-P2 <<>> fourings.com axfr +multiline @mouse ;; global options: printcmd fourings.com. 3600 IN SOA ns.fourings.com. ipv6.fourings.com. ( 2008120802 ; serial 3600 ; refresh (1 hour) 300 ; retry (5 minutes) 3600000 ; expire (5 weeks 6 days 16 hours) 3600 ; minimum (1 hour) ) fourings.com. 3600 IN NS ns.fourings.com. fourings.com. 3600 IN MX 10 orion.fourings.com. fourings.com. 3600 IN A 76.182.124.207 fourings.com. 3600 IN AAAA 2001:470:8a79:1:216:3eff:fe2d:399f apoc.fourings.com. 3600 IN AAAA 2001:470:8a79:0:216:3eff:fe53:6a97 dozier.fourings.com. 3600 IN AAAA 2001:470:8a79:0:204:23ff:fe48:6001 morpheus.fourings.com. 3600 IN AAAA 2001:470:8a79:0:211:2fff:fe20:18fa neo.fourings.com. 3600 IN AAAA 2001:470:8a79:0:214:51ff:fe7a:4443 ns.fourings.com. 3600 IN A 76.182.124.207 ns.fourings.com. 3600 IN AAAA 2001:470:8a79:1:216:3eff:fe77:443 orion.fourings.com. 3600 IN AAAA 2001:470:8a79:1:216:3eff:fe2d:399f orion.fourings.com. 3600 IN A 76.182.124.207 trinity.fourings.com. 3600 IN AAAA 2001:470:8a79::1 www.fourings.com. 3600 IN CNAME fourings.com. fourings.com. 3600 IN SOA ns.fourings.com. ipv6.fourings.com. ( 2008120802 ; serial 3600 ; refresh (1 hour) 300 ; retry (5 minutes) 3600000 ; expire (5 weeks 6 days 16 hours) 3600 ; minimum (1 hour) ) ;; Query time: 21 msec ;; SERVER: 2001:470:8a79:1:216:3eff:fe77:443#53(2001:470:8a79:1:216:3eff:fe77:443) ;; WHEN: Sun Dec 28 21:59:15 2008 ;; XFR size: 16 records (messages 1, bytes 469)
Internal Zone A Records
<<>> DiG 9.4.2-P2 <<>> i.fourings.com axfr +multiline ;; global options: printcmd i.fourings.com. 3600 IN SOA apoc.i.fourings.com. ipv6.fourings.com. ( 2008120532 ; serial 3600 ; refresh (1 hour) 300 ; retry (5 minutes) 3600000 ; expire (5 weeks 6 days 16 hours) 3600 ; minimum (1 hour) ) i.fourings.com. 3600 IN NS apoc.i.fourings.com. apoc.i.fourings.com. 3600 IN A 192.168.1.6 apoc.i.fourings.com. 3600 IN AAAA 2001:470:8a79:0:216:3eff:fe53:6a97 dlink.i.fourings.com. 3600 IN A 192.168.1.2 dozier.i.fourings.com. 300 IN AAAA 2001:470:8a79:0:204:23ff:fe48:6001 morpheus.i.fourings.com. 3600 IN A 192.168.1.4 morpheus.i.fourings.com. 3600 IN AAAA 2001:470:8a79:0:211:2fff:fe20:18fa mouse.i.fourings.com. 3600 IN A 192.168.254.3 mouse.i.fourings.com. 3600 IN AAAA 2001:470:8a79:1:216:3eff:fe77:443 netgear.i.fourings.com. 3600 IN A 192.168.1.3 orion.i.fourings.com. 3600 IN A 192.168.254.2 orion.i.fourings.com. 3600 IN AAAA 2001:470:8a79:1:216:3eff:fe2d:399f ruffjmacg4.i.fourings.com. 300 IN AAAA 2001:470:8a79:0:214:51ff:fe7a:4443 trinity.i.fourings.com. 3600 IN A 192.168.1.1 trinity.i.fourings.com. 3600 IN AAAA 2001:470:8a79::1 i.fourings.com. 3600 IN SOA apoc.i.fourings.com. ipv6.fourings.com. ( 2008120532 ; serial 3600 ; refresh (1 hour) 300 ; retry (5 minutes) 3600000 ; expire (5 weeks 6 days 16 hours) 3600 ; minimum (1 hour) ) ;; Query time: 4 msec ;; SERVER: 2001:470:8a79:0:216:3eff:fe53:6a97#53(2001:470:8a79:0:216:3eff:fe53:6a97) ;; WHEN: Sun Dec 28 22:01:45 2008 ;; XFR size: 17 records (messages 1, bytes 497)
Previous:
Hurricane Electric IPv6 Certification
