0

I'm working for an office in primary education and I'm setting up a local server with Ubuntu Server 20.04 for both internal and external use. All schools and offices belong to the national network '.sch.gr'. The network have assigned to our office the domain dipe****.sch.gr and our external ip is 81.186.21.**. Everything from outside works ok. The internal ip of the server is 10.145.252.10. I want computers from LAN, when they type dipe****.sch.gr to resolve to internal ip 10.145.252.10. Is this possible? I installed Bind for this but I can't find the correct configuration. Can someone help?

sak69GR
  • 13
  • 3

1 Answers1

1

Yes, this is possible. ISC BIND has a special feature, called "views". See for example, here and here.

Basically you do the following.

You need two zone files, one for "external" clients, other for "internal". I assume you already have configured it for "external" clients. Let's say, the config is like this:

zone "dipe****.sch.gr" IN {
        type master;
        file "pri/dipe****.sch.gr.zone";
};

You change that into:

view "internal" {
    match-clients { 10.0.0.0/8; };
    zone "dipe****.sch.gr" IN {
            type master;
            file "pri/dipe****.sch.gr.zone_int";
    };

}; 

view "external" {
    match-clients { any; };
    recursion no;
    zone "dipe****.sch.gr" IN {
            type master;
            file "pri/dipe****.sch.gr.zone";
    };
};

Note your current zone configuration was migrated into external view. Also note, the order of views is important, internal view must appear before external, because external view definition has a wildcard catch-all in match-clients.

Then, DNS queries from 10.x.x.x will be answered from the file ''dipe****.sch.gr.zone_int'', this is where you configure your private addresses. All queries from clients who doesn't match 10.x.x.x will be answered from ''dipe****.sch.gr.zone'', which is for public addresses.

If your internal clients also exist in other networks (192.168.x.x, 172.16.x.x), add them into match-clients of internal view. You can also configure an acl and put that into match-clients instead of specifying them in the view directly.

Nikita Kipriyanov
  • 10,947
  • 2
  • 24
  • 45
  • Thanks for the response. Please clarify something for me. What's the relationship between servers hostname, nameservers name and domain name. My servers hostname is 'dipe-linuxserver'. Is this the name I have to use in SOA or should I use FQDN. Is it a better practice to change servers hostname from 'dipe-linuxserver' to 'ns1.dipe****.sch.gr'? – sak69GR Jan 11 '21 at 19:18
  • In general, "hostname"."domainname"="fqdn", for example, "server"."example.com" = "server.example.com". The system name and domain name of the machine where DNS service is running (I believe that is what you called "nameservers name") is completely irrelevant and absolutely doesn't matter, there is no relation. "google.com" domain can well be served from "blah.local" machine, even behind NAT. ISC BIND is exceptionally ignorant about how all of this stuff is configured on its host, it would work well even if DNS resolving isn't properly set up at all in the operating system! – Nikita Kipriyanov Jan 11 '21 at 19:42
  • dipe****.sch.gr. IN NS server1.dipe****.sch.gr. server1.dipe****.sch.gr. IN A 10.145.252.10 This is the configuration for ''dipe****.sch.gr.zone''. What shoud be the configuration for ''dipe****.sch.gr.zone_int'' ??? – sak69GR Jan 12 '21 at 21:49
  • Are these a link records in the parent zone (sch.gr)? Are you sure you need different views? If they use views too, then there must be another set of records for "external" view. Because theat record with address 10.145.252.10 certainly isn't applicable to general internet users, that's not a publicly routable address but a private defined in the RFC 1918, and therefore it should not appear in the public view. – Nikita Kipriyanov Jan 13 '21 at 05:53
  • OK you are right. Let me change the question. How can I set up bind for use only with internal network 10.145.252.**. Should I disable port 53 to prevent connecting with outside dns servers? Can I configure bind from 10.145.252.10 works only with LAN users given that outside users served by "sch.gr" dns servers? – sak69GR Jan 13 '21 at 08:05
  • Of course, you can specify addreses where it must listen, by default it has `options { listen-on { any; }; };` (see also `listen-on-v6`). Manual with examples: https://bind9.readthedocs.io/en/latest/reference.html#interfaces – Nikita Kipriyanov Jan 13 '21 at 09:44
  • Last question, I promise. Lets say I configure Bind9 correctly. How will I make local workstations(windows) use local dns server in 10.145.252.10 instead of "sch.gr" dns servers? – sak69GR Jan 14 '21 at 19:19