Configuring Split-DNS

[ddowney]

Hi, to give you a little backround on my Zimbra installation I got the 60-day trial in March of this year and was never able to get it working at all. Even though I never got it working my company decided to purchase Zimbra within that 60-day trial. I accidentally got it working after about 2 months of playing with it which I have to say now was pure luck. 2 weeks ago my IT Director wanted to change the public IP of the server, which sounded easy at the time. It stopped working after changing the public IP. I sought help here posting lines and lines of code and wasn't able to receive an answer, support will not help me because they don't support BIND which is what I assume I am having trouble with. Which all brings me to today...

I'm finding the documentation not very straight foward, for instance the wiki article "Making BIND and Zimbra Work" is somewhat helpful but after step one it no longer applies to my installation I think. I end up with what I think is called BIND-Chroot(?) I've never really used Linux until now so I'm not familiar with much I can manage to find my way around the GUI though. With the BIND that I get after typing yum install bind-devel none of the files are where the wiki says they are. Additionally there is no "localhost" zone in the Sample Named.conf file. It seems to me that it calls on the Zonesrfc.1912 file for it's zones which then looks up the paticular files (i.e. mydomain.com.zone) which are located in /etc/named/.


Is there a straight foward guide to either obtaining the version of BIND that is widely used and reffered to in the documentation or geared towards BIND-Chroot? (I've even tried the Ubuntu wiki that's been posted a few times here) Also is there a more straight foward split-DNS guide?

I don't understand the named.conf file at all, it doesn't have any of the things that are mentioned on the forums or documentation. It looks like it's a different file, can someone post a complete named.conf file that I can copy (if that will even work?) My named.conf file is located somewhere like /usr/share/docs/bind-9.3.4/sample/named.conf and I just copy that to /etc/ and/or to /var/named/chroot/var/named/etc

Any help at all to get this thing working would help.

[phoenix]

It's fairly straightforward to set-up a Split DNS with Zimbra. The intent of using a split dns is to be able to resolve the IP of your server when it's located behind a NAT router on a private subnet. Is that the case with your server? The article you should follow is this one: Split DNS - Zimbra :: Wiki or the DNS In A Nutshell (second post in that thread).

The difference between the articles is that Split DNS will set-up a DNS server on your zimbra machine and the 'Nutshell' will set-up a DNS server on any of the machines in your LAN.

Run the following commands on your zimbra server (and post the output here):

Code:

host `hostname` <- use that exact command, don't change anything and use backticks not single quotes
dig yourdomain.com mx
dig yourdomain.com any
cat /etc/hosts
cat /etc/resolv.conf

[ddowney]

Yes that is the case with my server. It is on a private network behind NAT.

HTML Code:

[root@mailhost ~]# host `hostname`
mailhost.fasttax.local has address 192.168.20.16

HTML Code:

[root@mailhost ~]# dig fasttaxmail.com mx

; <<>> DiG 9.3.4-P1 <<>> fasttaxmail.com mx
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43318
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;fasttaxmail.com.               IN      MX

;; ANSWER SECTION:
fasttaxmail.com.        7200    IN      MX      10 mail.fasttaxmail.com.

;; AUTHORITY SECTION:
fasttaxmail.com.        110129  IN      NS      ns72.worldnic.com.
fasttaxmail.com.        110129  IN      NS      ns71.worldnic.com.

;; ADDITIONAL SECTION:
mail.fasttaxmail.com.   7200    IN      A       206.41.47.67
ns71.worldnic.com.      79072   IN      A       205.178.190.36

;; Query time: 52 msec
;; SERVER: 192.168.20.10#53(192.168.20.10)
;; WHEN: Thu Jul 17 07:55:24 2008
;; MSG SIZE  rcvd: 133

HTML Code:

[root@mailhost ~]# dig fasttaxmail.com any

; <<>> DiG 9.3.4-P1 <<>> fasttaxmail.com any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31408
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;fasttaxmail.com.               IN      ANY

;; ANSWER SECTION:
fasttaxmail.com.        7200    IN      A       206.41.47.67
fasttaxmail.com.        7200    IN      SOA     NS71.WORLDNIC.com. namehost.WORLDNIC.com. 0 10800 3600 604800 3600
fasttaxmail.com.        7200    IN      MX      10 mail.fasttaxmail.com.
fasttaxmail.com.        7200    IN      NS      ns72.WORLDNIC.com.
fasttaxmail.com.        7200    IN      NS      NS71.WORLDNIC.com.

;; AUTHORITY SECTION:
fasttaxmail.com.        7200    IN      NS      ns72.WORLDNIC.com.
fasttaxmail.com.        7200    IN      NS      NS71.WORLDNIC.com.

;; ADDITIONAL SECTION:
mail.fasttaxmail.com.   7113    IN      A       206.41.47.67
NS71.WORLDNIC.com.      78985   IN      A       205.178.190.36

;; Query time: 22 msec
;; SERVER: 192.168.20.10#53(192.168.20.10)
;; WHEN: Thu Jul 17 07:56:52 2008
;; MSG SIZE  rcvd: 222

HTML Code:

[root@mailhost ~]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1       localhost.localdomain   localhost
192.168.20.16   mailhost.fasttax.local  mailhost

HTML Code:

[root@mailhost ~]# cat /etc/resolv.conf
search fasttax.local
nameserver 192.168.20.10

thanks.

[phoenix]

Well, the obvious problem with your DNS is that it's pointing to your external (public) IP rather than your internal LAN IP. Look at the A record, you've got this:

Code:

mail.fasttaxmail.com.   7200    IN      A       206.41.47.67

and it should read

Code:

mail.fasttaxmail.com.   7200    IN      A       192.168.20.16

as it's shown in your /etc/hosts file. As far as I can see, that's the only problem in your DNS. Fix that, restart BIND and you should be OK.

[EDIT]
I spoke too soon, there's also an error in your hosts file. You have the domain & FQDN of your server listed as:

Code:

192.168.20.16   mailhost.fasttax.local  mailhost

when you DNS records point to fasttax.com so your hosts file entry for the server should read

Code:

192.168.20.16   mailhost.fasttax.com  mailhost

[ddowney]

Great! Thanks. I figured that the it should have been pointing to my private IP but I wasn't exactly sure. I'll try it out now. Thanks again.

[ddowney]

OK This may be a dumb question but how do I get it to resolve to itself?
I've configured a zone in the zonesrfc.1912.zone for fasttaxmail.com.zone which has the A record pointing to 192.168.20.16 but it's still resolving to the external IP.

If I go into the Network settings and remove our Windows DNS server and replace it with the Zimbra server I get a message that says something like it can't find a DNS server. If I leave my Windows DNS server in there it resolves to 206.41.47.67 rather tha 192.168.20.16.

Also, can my hostname be different than the domain name? For example can my physical server be named mailserver.fasttax.local (private network) but use the public mail.fasttaxmail.com withouth changing the hostname since I'm using NAT? or does my hostname have to be the same of my public domain?

[ddowney]

I wiped my machine again for probably the 20th time and reinstalled. I'm working on BIND currently. Can someone tell me what to make of this named.conf file and where or what I should edit if anything? It's unalike the one in the Split DNS wiki. I don't have a clue what a view is and the zones seem to be different from a Windows DNS zone, am I wrong about that?

HTML Code:

//
// Sample named.conf BIND DNS server 'named' configuration file
// for the Red Hat BIND distribution.
//
// See the BIND Administrator's Reference Manual (ARM) for details, in:
//   file:///usr/share/doc/bind-*/arm/Bv9ARM.html
// Also see the BIND Configuration GUI : /usr/bin/system-config-bind and 
// its manual.
//
options
{
        // Those options should be used carefully because they disable port
        // randomization
	// query-source    port 53;	
	// query-source-v6 port 53;
	
	// Put files that named is allowed to write in the data/ directory:
	directory "/var/named"; // the default
	dump-file 		"data/cache_dump.db";
        statistics-file 	"data/named_stats.txt";
        memstatistics-file 	"data/named_mem_stats.txt";

};
logging 
{
/*      If yon the IP address of the host requesting the update, by listing an IP address or network prefix in the allow-update zone option. This method is insecure since the source address of the update UDP packet is easily forged. Also note that if the IP addresses allowed by the u want to enable debugging, eg. using the 'rndc trace' command,
 *      named will try to write the 'named.run' file in the $directory (/var/named).
 *      By default, SELinux policy does not allow named to modify the /var/named directory,
 *      so put the default debug log file in data/ :
 */
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };	
};
//
// All BIND 9 zones are in a "view", which allow different zones to be served
// to different types of client addresses, and for options to be set for groups
// of zones.
//
// By default, if named.conf contains no "view" clauses, all zones are in the 
// "default" view, which matches all clients.
// 
// If named.conf contains any "view" clause, then all zones MUST be in a view; 
// so it is recommended to start off using views to avoid having to restructure
// your configuration files in the future.
//
view "localhost_resolver"
{
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
 * If all you want is a caching-only nameserver, then you need only define this view:
 */
	match-clients 		{ localhost; };
	match-destinations	{ localhost; };
	recursion yes;
	# all views must contain the root hints zone:
	include "/etc/named.root.hints";

        /* these are zones that contain definitions for all the localhost
         * names and addresses, as recommended in RFC1912 - these names should
	 * ONLY be served to localhost clients:
	 */
	include "/etc/named.rfc1912.zones";
};
view "internal"
{
/* This view will contain zones you want to serve only to "internal" clients
   that connect via your directly attached LAN interfaces - "localnets" .
 */
	match-clients		{ localnets; };
	match-destinations	{ localnets; };
	recursion yes;
	// all views must contain the root hints zone:
	include "/etc/named.root.hints";

        // include "named.rfc1912.zones";
	// you should not serve your rfc1912 names to non-localhost clients.
 
	// These are your "authoritative" internal zones, and would probably
	// also be included in the "localhost_resolver" view above :

	zone "my.internal.zone" { 
		type master;
		file "my.internal.zone.db";
	};
	zone "my.slave.internal.zone" {
		type slave;
		file "slaves/my.slave.internal.zone.db";
		masters { /* put master nameserver IPs here */ 127.0.0.1; } ;
		// put slave zones in the slaves/ directory so named can update them
	};	
	zone "my.ddns.internal.zone" {
		type master;
		allow-update { key ddns_key; };
		file "slaves/my.ddns.internal.zone.db";
		// put dynamically updateable zones in the slaves/ directory so named can update them
	};			
};
key ddns_key
{
	algorithm hmac-md5;
	secret "use /usr/sbin/dns-keygen to generate TSIG keys";
};
view    "external"
{
/* This view will contain zones you want to serve only to "external" clients
 * that have addresses that are not on your directly attached LAN interface subnets:
 */
	match-clients		{ any; };
	match-destinations	{ any; };

	recursion no;
	// you'd probably want to deny recursion to external clients, so you don't
        // end up providing free DNS service to all takers

	// all views must contain the root hints zone:
	include "/etc/named.root.hints";

	// These are your "authoritative" external zones, and would probably
        // contain entries for just your web and mail servers:

	zone "my.external.zone" { 
		type master;
		file "my.external.zone.db";
	};
};

[ddowney]

anyone?