View Single Post
Old 10th March 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

RE: split-horizon DNS

If you do not host the name server for your web server on your local LAN, you do not have to do a split-horizon DNS at all.

You can use the simple configuration described in
BIND 9 : Caching and forward-only named.conf as starting point. You only have to add something like:

Code:
zone "de.filo" in {
         type master ;
         file "master/de.filo" ;
 };
This will tell the caching and forwarding nameserver to forward all queries, except those for the "de.filo" domain.
These "de.filo" queries should be answered as an authoritative nameserver using the "de.filo" zone file in the # ls -l /var/named/master/ directory.

The "de.filo" example zone file can be found at Authoritative only BIND nameserver for local domain

I just tested this and the configuration file looks like this:
Code:
// Caching and forward only configuration

// Access Control List

acl  clients    {
    127.0.0.1 ; 192.168.222.0/24  ;
};

options {
    forward only ;
    forwarders { 192.168.222.10 ; } ; 
    allow-query { clients ; } ;
    // max-cache-size is in bytes : echo '2 * 1024^2' | bc
    max-cache-size 2097152 ; 
    empty-zones-enable yes;
} ;

zone "de.filo" in {
         type master ;
         file "master/de.filo" ;
 };

# After editing this file please use 'named-checkconf' to validate!
IMHO using DNS is the best solution to solve this issue.

In case you would like to give it a shot, first get this exact configuration working on your OBSD firewall and then adjust the name and contents of this zone file to match your internal web server data.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote