ZCS installation(private IP) with DNS(public IP) on same system

[tiger2000]

Dear all,

I did an installation for customer this week, and the network environment is as follows:

ZCS is put in DMZ , and use 192.168.10.100 IP
Firewall will bind a public IP, e.g. 60.100.20.100 for ZCS.

We also install a DNS server in ZCS to host the 60.100.20 public zone and provide DNS server for outside connection.
(by the way, DNS doesn't define the internal 192.168.10 zone)

However, after we'd done all the setting, we found ZCS can not receive incoming mails, all mails are queue and the error is something like :

connect to zcs.domain.com[60.100.20.100] connection time out
(something like that)


At last, I made change to DNS server to create the 192.168.10 zone and remove the 60.100.20 zone solved the issue. however, I still have no idea why it has such error, and you know, there's no DNS server for this public zone right now.

any advice? Thanks.

[phoenix]

Quote:

Originally Posted by tiger2000

At last, I made change to DNS server to create the 192.168.10 zone and remove the 60.100.20 zone solved the issue. however, I still have no idea why it has such error, and you know, there's no DNS server for this public zone right now.

any advice? Thanks.

Split DNS - Zimbra :: Wiki

[chain]

the same problem as my, we don't speak about split dns config
we speak about situation where dns server and ZCS server are on the same machine with private IP
so as all external dns requests are forwarded to this machine we need to configure dns-zone with public IP. But in this case ZCS unable to receive mail.
From other side if we create a zone with private IP - ZCS will able to receive mail, but all internet world will can to see our local structure plus all dns checkers will tell about error in DNS configuration.
any another advice? Thanks)

[Bill Brock]

I believe you will need a DNS server that the outside world will hit resolving to your public IP and an internal DNS server for Zimbra to use that resolves to your internal private IP.

[chain]

not any external servers needed)
Лust ыtop shaving and washing, get some beer, and your red eyes in mirror will help you to resolve any problem)

in real:
we can resolve the problem with "views"

Let's get tiger2000 and split-dns wiki example.
We have internal IP 192.168.10.100 and external 60.100.20.100 and need to show private address for local hosts and public for all other internet world.
Now I change split-dns wiki example for tiger2000 zone:

Code:

// Default named.conf generated by install of bind-9.2.4-2
options {
       directory "/var/named";
       dump-file "/var/named/data/cache_dump.db";
       statistics-file "/var/named/data/named_stats.txt";
forwarders { 
 ; };
};
include "/etc/rndc.key";

// For now we configure access list for local queries
acl "internal" {
	192.168.10.10/24;
	127.0.0.1;
};
// For now we configure zone for local dns calls and allow recursive queries and zone transfers to any local host
view "internal" {
	match-clients { internal; };
	recursion yes;
            zone "zcs.domain.com" {
            type master;
            file "db.zcs.domain.com.int";
            allow-transfer { any; };
            };
};
// For now we configure zone for external dns calls and disable recursive queries and zone transfers to any host
view "external" {
	match-clients { any; };
	recursion no;
	zone "zcs.domain.com" {
	    type master;
	    file "db.zcs.domain.com.ext";
	    allow-transfer { none; };
	    };
};

as you can see we used one zone file (db.zcs.domain.com.int) for local queries, in it we use private server IP's

Code:

;
;       Addresses and other host information.
;
@       IN      SOA     zcs.domain.com. hostmaster.zcs.domain.com. (
                               10118      ; Serial
                               43200      ; Refresh
                               3600       ; Retry
                               3600000    ; Expire
                               2592000 )  ; Minimum
;       Define the nameservers and the mail servers
               IN      NS      192.168.10.100
               IN      A       192.168.10.100
               IN      MX      10 zcs.domain.com.

and another zone file (db.zcs.domain.com.ext) for external servers, in it, as you understand, we use public server IP's.

Code:

;
;       Addresses and other host information.
;
@       IN      SOA     zcs.domain.com. hostmaster.zcs.domain.com. (
                               10118      ; Serial
                               43200      ; Refresh
                               3600       ; Retry
                               3600000    ; Expire
                               2592000 )  ; Minimum
;       Define the nameservers and the mail servers
               IN      NS      60.100.20.100
               IN      A       60.100.20.100
               IN      MX      10 zcs.domain.com.

That works, that secure and only one DNS server. For sure in db.zcs.domain.com.int you can use any another internal servers and don't show them for all other world.

P.S. sorry for my english, if something is not clear for you, I'll try to explain

P.P.S. if that post helped you, you can wish me "happy new year!"

[phoenix]

You must point your DNS records to the internal IP address of your Zimbra server.

[chain]

yes and i did it in my example
ZCS get my internal IP from DNS, to internet I show my external IP. Check my previous message once again, there are two zones in it, internal and external, ZCS workes like a charm