Nameserver

[Cowles, Steve]

Alejandro Calbazana wrote:
> Thanks!  I was able to get things set up and working so far
> as I can tell. I spent some time with the HOW TO along w/
> your docs.
> 
> I set up 2 zones.  The local zone and the zone for my
> internal network.

Did you also setup your reverse zone? i.e. in-addr.arpa zone.

> After adding the proper hosts and NS entries, everything else
> fell into place.
> 
> A few questions remain though... If I am running a nameserver locally,
> does resolv.conf become irrelevant on the machine running named?

No! The system running named still needs to resolve addresses. On the system
I run named on, I edit resolv.conf and point it to localhost.
 
> Since this machine is also my gateway to the Internet, do I
> still need to specify entries in /etc/resolv.conf for external
> names or can I point it to itself?

If your named.conf file is loading the root hints file, then your name
server will be able to resolve both locally defined zones and all external
requests without using your ISP's name server.

If your still wanting to use your ISP's name server for address resolution
outside your name space, then look at adding the "forwarders" and "forward
only" statements to your named.conf file. See "man named.conf"

> (I know I must do this on the client end, but what about the
> server end)? Still fuzzy on this one...  Also, how do things
> work if the host entry in the zone file has a dynamic IP (not
> likely, just curious how this works out...)?

If your running dhcpd on your LAN behind your firewall, then one option
would be to enable DDNS. You would need to enable DDNS in both dhcpd and
named. See "man dhcpd.conf" for a good example on how to enable DDNS. Search
for DYNAMIC DNS. 

Another option is to configure dhcpd to hand out static IP addresses for the
MAC addresses you define. Then add these hosts to your zones files. Ex:
cut/paste from my dhcpd.conf

host enterprise {
        
   hardware ethernet 00:0d:a1:b2:8f:a4;
   fixed-address 192.168.9.21;
   ddns-hostname enterprise;
   ddns-rev-domainname  "21.9.168.192";
}

...and even another option (without enabling DDNS) is to have bind/named
generate a range of names in your zone files. Ex:

; Assign DHCP address range
$GENERATE 25-254  dhcp-8-$      A       192.168.8.$

; Assign Auto-Generated DHCP reverse address ranges. If your
; using DDNS, you will need to comment these.
$GENERATE 25-254 $      PTR       dhcp-8-$.mydomain.tld.

> 
> Some security questions immediately come to mind as I type :)
> I am wondering how I can block external traffic using my
> machine as a resolver. I suppose I can control this through
> iptables, but I was wondering if named provided anything
> special for this.  No big deal...  I'll research this one
> later...

Again, read "man named.conf". In particular the "allow-query" and "recursion
on/off" statements. FWIW: I define an ACL for my LAN's and then reference
them in the allow-query. Ex:

acl "trusted-nets" {
        192.168.8.0/22;
        127.0.0.1;
};

options {

        // Listen ONLY on the following interfaces
        listen-on { 127.0.0.1 ; 192.168.8.2; };

        allow-query {
                trusted-nets;
        };
};

Also, since your running a caching-only name server, stopping inbound TCP
and UDP port 53 requests at your firewall will insure no one will use your
system as their DNS server.

BTW: There is a great template you can use to secure bind. This is what I
started from. Checkout:

http://www.cymru.com/Documents/secure-bind-template.html

Steve Cowles