dns-more than I ever wanted to know...

Steve Bertrand iaccounts at ibctech.ca
Fri Sep 24 08:00:04 PDT 2004

> Steve,
> Thanks a bunch! This is a great help. I'm not clear on the use of
> allow-transfer. Reading the  manpage for named.conf(5), I'm tempted to
> leave it out. But, I'm not fully understanding the use of it. The
> manpage says,
> allow-transfer
>    Specifies which hosts are allowed to receive zone transfers from
> the
>    server.  allow-transfer may also be specified in the zone
> statement,
>    in which case it overrides the options allow-transfer statement.
> If
>    not specified, the default is to allow transfers from all hosts.

You most likely don't need it. If you have 2 DNS servers,
allow-transfer states which other servers are allowed to receive the
DNS changes. This is likely not the case for you, so leave it out.

> I'm taking "which hosts are allowed to receive zone transfers from the
> server" to mean hosts on my local network and the server is the DNS
> server I'm setting up now. I don't want my zone information going out
> to the internet (my isp), but I do want to let it in (of course).

I'll try to clarify. Most of my domains DNS info is hosted on a
``master'' server. This server is responsible for telling the Internet
what IP's are for what servers. If you don't have a domain, then you
will not have this set up. Now, what happens if my master DNS server
goes down for my domain? Well, I have a backup server (secondary) that
contains the same zone files, so it as well knows about my domain. If
I make a change on the master, for instance if I need to change the IP
of my web server, I make the change on the master, and eventually that
change gets replicated to the secondary. Allow-transfer is like an
authorization for which IP addresses the master is allowed to send the
updated DNS info to.

I expect you are wanting to use a ``caching-only'' type server now. If
you have no domain to set up, then what is happening is your DNS
server downloads DNS info from the Internet. Client sends DNS request
to your server...your server looks up the DNS info from the proper
server on the Internet...DNS info is passed back to the client. Now
your DNS server has those records cached, so lookups after that of
those same domains are almost instantaneous.

You can play with BIND and set up your own domains, even if they are
not registered. Using my example of the zones, you can create a phony
one like 'internal.com'. No one on the Internet will know you are
using it.

If you want to do this, just edit named.conf as described, and create
a zone file with some names for you PC's. ie:

workstation IN A  ; your computer
gateway     IN A
filesrv     IN A

Note that anything after ; is a comment.

Now, once your pc's are pointing DNS at the new box, you will be able
to ping your inside network by name, AND IP.

You got it right. Unless firewalled off, bind will listen by default
on all Interfaces, but point the clients to as the DNS

Hope I was able to clarify not too badly. I'm very busy today, so I'm
rushed to reply so forgive any errors, omissions and/or bad
clarification. If you have more questions, fire away.


> failed to mention that the machine acting as DNS inside my network
> is/will be configured as a gateway. (QUESTION: I have vr0 and vr1.
> Does
> it matter which interface I face toward the internet?) Perhaps this
> doesn't matter as long as the DNS server is pointing to/resolving for
> the inside (local) network interface ( Let me make this more
> clear. I have the following (typical?) small office setup:
>           ---------
>              ISP                <--- monopolists
>           ----+----
>               |
>               |
>               |
>             (vr1)               <--- DHCP'd from ISP
>      ----------------------
>       FreeBSD 4.10 gateway
>      ----------------------
>             (vr0)               <---
>               |                      DNS,ipfw,natd,httpd
>               |
>               |
>     {... local network ...}

> So, all this just to clarify allow-transfer. :) My questions go deeper
> than DNS. But, I'm trying to figure out the rest myself.
> Thanks,
> Alex
> On Sep 24, 2004, at 9:57 AM, Steve Bertrand wrote:
>> <snip>
>> ... and then add a record for a domain.
>> zone "domain.com" {
>>         type master;
>>         file "domain.com.zone";
>>         allow-transfer {; }; // This is your secondary
>> DNS
>>         allow-update { none; };
>> };
>> <snip>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>   Alexander Sendzimir (owner)                    802 863 5502
>   MacTutor: Apple Mac OS X Consulting       info at mactutor.biz

More information about the freebsd-questions mailing list