Private (only) DNS server setup?
Danny MacMillan
flowers at users.sourceforge.net
Tue Oct 19 19:57:43 PDT 2004
On Tue, Oct 19, 2004 at 08:34:45AM -0600, Seth Henry wrote:
>
> ...
>
> I also want to create a private, internal zone so that I can stop passing
> hosts files around. (i.e. 192.168.1.1 -> internal_host1, etc) IOW - I
> would like internal machines to point to my DNS server for internal &
> external addresses. If the DNS server (on the router) can't find the
> address in its local cache, I would like the router to retrieve the record,
> and pass it along to the internal machine. In the end, I want to block all
> DNS traffic from the internal network from leaving the network - internal
> machines should only request DNS info from the router.
>
> ...
I eschew BIND in favour of djbdns, which is in the ports. It's quite modular
which makes the sort of setup you're talking about quite trivial. I'm sure
it's equally possible with BIND. I'm just not familiar with BIND.
Anyway, the djbdns solution entails setting up two DNS "servers" on the
router, one being the authoritative server for your internal domain and
the other being the full service resolver and cache. The DNS cache will
be configured to ask your internal DNS server about local names and your
upstream provider's cache for all other names.
Here's the djbdns home page, which contains more information than you need:
http://cr.yp.to/djbdns.html
Read the following pages linked from that site and you'll be in good shape:
o How to tell a computer to respond to an IP address
o How to run an external forwarding cache
o How to run a DNS server
o How to create local DNS names
When I set up djbdns at work, I also referenced a page that specifically
addressed setting up djbdns on a FreeBSD server. While the information is
not strictly necessary, I did find it useful, even though I did not
follow the instructions exactly:
http://www.free-x.ch/pub/djbdns.html
As far as preventing the information being published: When configuring
your djbdns servers, you will need to supply the IP address on which they
will listen. Just use one of the addresses bound to the private
interface.
--
Danny
More information about the freebsd-questions
mailing list