# bind behind firewall?



## klabacita (Aug 2, 2010)

Hi my friends.

 I'm learning bind9 on freebsd 8 running build in version.

 This bind is running inside a jail and is working inside my private lan. I have a static IP from ISP and want to setup my first public site.

 My first goal is to have a dns for my site. I have been reading and googling but I have some doubts about bind behind a firewall.

 My jail host is my fw with pf, I already have 3 jails on it:

 dns 192.168.X.A
 web 192.168.X.B
 mail 192.168.X.C

 Inside my dns, went I setup my zone for my public name example: db . my-public-site do I have to use my public address or my private address for each A record?


```
; DNS Servers
               IN      NS      ns1 my - public - site.
; MX Records
                IN      MX      10   my - public - site.
; Machine Names
localhost       IN      A       127.0.0.1
ns1             IN      A       Public Or Private?
mail            IN      A       Public Or Private?
web             IN      A       Public Or Private?

; Aliases
www             IN      CNAME   my - public - site.
```

Is all my doubt, appreciated your time and lessons!!!


----------



## kpa (Aug 2, 2010)

Take a look at the view feature of bind. Basically you need to set up two views, local view that returns local addresses for your DNS records and default view that returns public addresses. The local view should match all clients that connect from the inside and the default view should match the rest.

http://www.csd.uwo.ca/staff/magi/doc/bind9/Bv9ARM.ch06.html#AEN3035


----------



## klabacita (Aug 2, 2010)

Good.

But now bind tell:



> when using 'view' statements, all zones must be in views



This is a authoritative server, I must include the "." name servers inside one the views? They must in the internal or external?

Thanks!!!


----------



## kpa (Aug 2, 2010)

You have to duplicate the standard stuff inside both views and leave the top level empty, it's clumsy but gets the job done.


----------



## klabacita (Aug 3, 2010)

I have other doubts, this field is new for me.

  Apart from the last questions, this are others I have.

  I have been reading a lot of technical docs from google. But none of them have answer this questions.

  I'm using default bind that came with FBSD 8 inside a jail.

  There we have the default file named.conf which have a lot of settings that I still don't understand this is why I ask this and none of the settings appear on other docs.

  I will manage my own dns for my site, I must setup a authoritative dns. This mean that I will administer my zone. Behind the FW I have the dns, apache, mail servers each one on a jail.

  First:

  Now let see the settings that confuse me from default named.conf


```
disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
        disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
        disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
```


  This settings, what is the meaning, do we need on each authoritative or cache dns?

  Next:


```
zone "." { type hint; file "named.root"; };
zone "." {
        type slave;
        file "slave/root.slave";
        masters {
                192.5.5.241;    // F.ROOT-SERVERS.NET.
        };
        notify no;
};
zone "arpa" {
        type slave;
        file "slave/arpa.slave";
        masters {
                192.5.5.241;    // F.ROOT-SERVERS.NET.
        };
        notify no;
};
zone "in-addr.arpa" {
        type slave;
        file "slave/in-addr.arpa.slave";
        masters {
                192.5.5.241;    // F.ROOT-SERVERS.NET.
        };
        notify no;
};
```

The root dns's do we need them to appear on each authoritative or cache?
This will be use went my dns need it went both internal or external clients request other zones?

Third:


```
// Private Use Networks (RFC 1918)
zone "10.in-addr.arpa"          { type master; file "master/empty.db"; };
zone "16.172.in-addr.arpa"      { type master; file "master/empty.db"; };
zone "17.172.in-addr.arpa"      { type master; file "master/empty.db"; };
zone "18.172.in-addr.arpa"      { type master; file "master/empty.db"; };
zone "19.172.in-addr.arpa"      { type master; file "master/empty.db"; };
zone "20.172.in-addr.arpa"      { type master; file "master/empty.db"; };
zone "21.172.in-addr.arpa"      { type master; file "master/empty.db"; };
zone "22.172.in-addr.arpa"      { type master; file "master/empty.db"; };
zone "23.172.in-addr.arpa"      { type master; file "master/empty.db"; };
zone "24.172.in-addr.arpa"      { type master; file "master/empty.db"; };
zone "25.172.in-addr.arpa"      { type master; file "master/empty.db"; };
zone "26.172.in-addr.arpa"      { type master; file "master/empty.db"; };
zone "27.172.in-addr.arpa"      { type master; file "master/empty.db"; };
zone "28.172.in-addr.arpa"      { type master; file "master/empty.db"; };
zone "29.172.in-addr.arpa"      { type master; file "master/empty.db"; };
```

What about all this zones?

Last:

 The jail's doesn't have the loopback interface, do we still need the loopback zones?

 Sorry for my silly questions, thanks all for your time


----------



## SirDice (Aug 3, 2010)

First: is to make sure 255.255.255.255 doesn't resolve (it's the broadcast address)

Second: You don't need the zone "." defined. Just leave the line with the hint. You would use them if you wanted to slave (secondary) the root servers (which you don't want to do).

third: They're to ensure private address ranges don't resolve to anything. Unless you use one of those ranges leave them in.

Last: Yes, you still want your clients to resolve "localhost" don't you?


----------



## klabacita (Aug 3, 2010)

Hi SirDice.

  Just to see if I understand this answer:


```
third: They're to ensure private address ranges don't resolve to anything. Unless you use one of those ranges leave them in.
```

  You mean that this block all the private address from being use as DNS in a public network like the Internet?

  Because my dns is behind a fw with a private address, this is the case?

  I have finally understand the others answer, thanks .


----------



## kpa (Aug 3, 2010)

The 
	
	



```
zone "16.172.in-addr.arpa"
```
 etc. entries are for disabling reverse DNS for private RFC1918 addresses, meaning `% dig -x 172.16.x.y` query will return nothing. Access control is a different matter, ACLs combined with allow-query, allow-recursion etc. directives are used for that.

http://www.csd.uwo.ca/staff/magi/doc/bind9/Bv9ARM.ch07.html#Access_Control_Lists


----------



## klabacita (Aug 9, 2010)

Hi I have my final settings, please comment about any mistake:


```
//My Internal Network
acl loc-net { 192.168.40.0/24; };

options {
        // Relative to the chroot directory, if any
        directory       "/etc/namedb";
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";
        version none;
        allow-transfer { none; };
listen-on       { 192.168.40.2; };

disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";

forward only;

view "internal" {

        match-clients { loc-net; };
        allow-recursion { loc-net; };
        allow-query { loc-net; };
        forwarders { 66.63.128.34; 66.63.128.50; };
        recursion yes;
        notify no; 

zone "." IN { type hint; file "named.root"; };
zone "localhost"        { type master; file "master/localhost-forward.db"; };
zone "127.in-addr.arpa" { type master; file "master/localhost-reverse.db"; };
zone "255.in-addr.arpa" { type master; file "master/empty.db"; };
...all the private zones.

        zone "my public zone" {
                type master;
                file "master/db . my public . int . zone";
        };

        zone "40.168.192.in-addr.arpa" {
                type master;
                file "master/db.192.168.40.rev";
        };
};

view "external" {

        match-clients { any; };
        recursion no;
        notify no;

        zone "localhost"        { type master; file "master/localhost-forward.db"; };
        zone "127.in-addr.arpa" { type master; file "master/localhost-reverse.db"; };
        zone "255.in-addr.arpa" { type master; file "master/empty.db"; };
...all the private zones...

        zone "mi public zone" {
                type master;
                file "master/db.mi public zone";
        };
};
```

Thanks all for your input.


----------



## kpa (Aug 9, 2010)

Do you have a local version of db.mi with local addresses somewhere? Now it looks like local clients wouldn't know the hostnames in db.mi.


----------



## klabacita (Aug 10, 2010)

Thanks kpa.

 I forget my internal clients, I already fix my settings.

 2 views:

 2 internal zones for my lan "forw"+"reve" zones.
 1 public zone for the rest.

 Any more mistakes let me know, thanks all for your input.


----------

