From owner-freebsd-questions@FreeBSD.ORG Wed Oct 20 02:57:43 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7027716A4CE for ; Wed, 20 Oct 2004 02:57:43 +0000 (GMT) Received: from pd4mo3so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 10ED143D4C for ; Wed, 20 Oct 2004 02:57:43 +0000 (GMT) (envelope-from flowers@nekulturny.org) Received: from pd2mr2so.prod.shaw.ca (pd2mr2so-qfe3.prod.shaw.ca [10.0.141.109]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0I5V00M1844O4AD0@l-daemon> for freebsd-questions@freebsd.org; Tue, 19 Oct 2004 20:55:36 -0600 (MDT) Received: from pn2ml6so.prod.shaw.ca ([10.0.121.150]) by pd2mr2so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0I5V0057Q44O4ZD0@pd2mr2so.prod.shaw.ca> for freebsd-questions@freebsd.org; Tue, 19 Oct 2004 20:55:36 -0600 (MDT) Received: from procyon.nekulturny.org (S0106000c41b2b9a3.cg.shawcable.net [68.144.45.143]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0I5V00B0744OHH@l-daemon> for freebsd-questions@freebsd.org; Tue, 19 Oct 2004 20:55:36 -0600 (MDT) Received: from procyon.nekulturny.org (localhost.nekulturny.org [127.0.0.1]) i9K2tZDk002582; Tue, 19 Oct 2004 20:55:35 -0600 (MDT envelope-from flowers@nekulturny.org) Received: (from flowers@localhost) by procyon.nekulturny.org (8.12.10/8.12.10/Submit) id i9K2tZC0002581; Tue, 19 Oct 2004 20:55:35 -0600 (MDT envelope-from flowers) Date: Tue, 19 Oct 2004 20:55:34 -0600 From: Danny MacMillan In-reply-to: To: Seth Henry Message-id: <20041020025534.GA931@procyon.nekulturny.org> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-disposition: inline References: User-Agent: Mutt/1.4.2.1i cc: freebsd-questions@freebsd.org Subject: Re: Private (only) DNS server setup? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Oct 2004 02:57:43 -0000 On Tue, Oct 19, 2004 at 08:34:45AM -0600, Seth Henry wrote: > > ... > > I also want to create a private, internal zone so that I can stop passing > hosts files around. (i.e. 192.168.1.1 -> internal_host1, etc) IOW - I > would like internal machines to point to my DNS server for internal & > external addresses. If the DNS server (on the router) can't find the > address in its local cache, I would like the router to retrieve the record, > and pass it along to the internal machine. In the end, I want to block all > DNS traffic from the internal network from leaving the network - internal > machines should only request DNS info from the router. > > ... I eschew BIND in favour of djbdns, which is in the ports. It's quite modular which makes the sort of setup you're talking about quite trivial. I'm sure it's equally possible with BIND. I'm just not familiar with BIND. Anyway, the djbdns solution entails setting up two DNS "servers" on the router, one being the authoritative server for your internal domain and the other being the full service resolver and cache. The DNS cache will be configured to ask your internal DNS server about local names and your upstream provider's cache for all other names. Here's the djbdns home page, which contains more information than you need: http://cr.yp.to/djbdns.html Read the following pages linked from that site and you'll be in good shape: o How to tell a computer to respond to an IP address o How to run an external forwarding cache o How to run a DNS server o How to create local DNS names When I set up djbdns at work, I also referenced a page that specifically addressed setting up djbdns on a FreeBSD server. While the information is not strictly necessary, I did find it useful, even though I did not follow the instructions exactly: http://www.free-x.ch/pub/djbdns.html As far as preventing the information being published: When configuring your djbdns servers, you will need to supply the IP address on which they will listen. Just use one of the addresses bound to the private interface. -- Danny