Name service behind a firewall/NAT router

Ben Scott dragonhawk at gmail.com
Sun Jan 7 12:02:24 EST 2007 

On 1/5/07, Bill Freeman <f at ke1g.mv.com> wrote:
> I thought that maybe someone here has already dealt with this scenario, and
> I could be lazy.

  Bill McGonigle already posted his config stuff.  If you want mine,
take a look at

http://wiki.gnhlug.org/twiki2/bin/view/Www/PresentDNS

There's a full set of configuration files there, complete with
documentation and comments.  Plus a MagicPoint slideshow, if you need
help sleeping.

> While I have some throw away domains available, what I'd really like is to
> have single word (no "."s) hostnames resolved to IP addresses on the LAN ...

  You can do this with the "search" directive in your "resolv.conf".
Say your inside domain is "freeman.local", and you have DNS records
for "alpha.freeman.local" and "beta.freeman.local".  As long as you
have "search freeman.local" in your configuration, the resolver will
do what you want even if you just type "beta".

  On 'doze, this is done by setting the "default domain" in the
control panel for a network connectoid icon, or by adding to the list
of domains for the "Advanced" settings of same.

  I imagine OS X has at least one of these methods, too.

> and everything else resolved by the ISP's nameserver.

  You can configure forwarders in the "named.conf" file, which will
cause any queries named does not have an answer for to be forwarded to
the specified nameservers.  Specify your ISP nameservers, and that
will do what you ask.

  This can be tricky if your ISP likes to change their nameserver IP
addresses around on you.

  Another option is to just add the root hint zone to named.conf.
That will cause your local named to be able to resolve *all* names, by
contacting the root name servers directly, and doing an iterative
query.

  You can get the best of both worlds by specifying both forwarders
*and* a hint zone.  That will cause named to try the forwarders first;
if that fails, it will fall back to doing the iterative query itself.

> I fool myself that I understand DNS enough to know that the local nameserver
> is willing to get stuff from the outside nameserver as necessary.

  Pretty much, actually.  All you have to do is feed it a hint zone
(also called a "cache zone").  A hint zone is just a copy of the
nameserver records for the root zone.  It gives named enough
information to find the root nameservers, and from there, it can find
out about everything else.

  Most distributions package a copy of a root hints zone file.  It
will typically be named something like "named.ca", "root.hints",
"named.cache", etc.  On Red Hat/Fedora, you need to install the
"caching-nameserver" package to get the file.

> One gotcha is that it would be nice if the local machines would use or at
> least fall back to the ISP's nameserver ...

  Pretty much every OS lets you specify multiple nameservers to use as
full-service resolvers ("DNS servers").  You could specify your local
nameserver first, followed by your ISP nameservers.

  However, there is a gotcha.  Most systems implement this as a list
of possible nameservers.  They use one, and if that one goes down,
switch to the other.  They do *not* implement it as "Ask this guy
first, then this guy, then this guy".

  The practical upshot is, if your local nameserver glitches for even
a second or so, all your clients will switch to your ISP nameservers,
and no longer be able to resolve any local names, until you reset
them.

  There's no good way around this (AFAIK), short of running multiple
local nameservers.

> In addition to setting up a nameserver, it seems that I probably have to
> fiddle the DHCP server on the router to tell the local machines about my
> nameserver.

  Yes.  This is usually trivial -- you just punch in the IP address
into a web GUI.

> Is there a way to fail-over DHCP servers?

  Yes.  But not easily.  Something has to notice the DHCP server is
unavailable, and start the other one.

  I've heard it is possible to run two DHCP servers for the same
subnet on the same LAN, so long as the dynamic pools do not overlap,
and nothing gets upset about there being multiple possible DHCP
servers.  I've never tried this; it may not work.

-- Ben

More information about the gnhlug-discuss mailing list