Topic: Public DNS

[Peter Gandert]

Hello

I am new on e-smith and like the features very much.
The installation went in about 30 minutes.
The base configuration took also only about 30 minutes.
Compared to WinNT and Exchange it is a dream.

But adding special features is nearly impossible and refers very much research into the structure of e-smith.

Now i have studied the template-system and especially the DNS-configuration.

As the result i have created a template and the actions, which configure my complete domains in a public zone- and conf-file (phantastic, call me god )

My goal is to drive a public DNS because i have a provider, who serves my DNS as "hidden primary". That means: i make the configuration of my zonefile on my DNS and the zone will be mirrored to the dns1 and dns2 of my provider. This is a very sophisticated solution because of the cost-free flexibility with the creation of sub-domains.

Problems solved:
- Automatic generation of named-extern.conf by template
- Automatic generation of zone-extern.primarydomain by template
- i know where to set the restart- and conf-actions.
- the conf-action is working very well.
- the restart-action doesn't work.

- a service "named-extern" is defined in the configuration-file.

Problems:
The second named-instance is not starting: How can i start it ?
The restart-action doesn't work.
Where is the place, where the named-process is started chrooted.

I know, i am a little step before the target, but it doesnt work until know. I spent about 3-4 days in the research-line for understanding the philosophy and technology of e-smith-architecture. But the documentation covers only a little surface of the whole very good system.

I need advise how to set up a second instance of named

Thank you for your help

[Gary Williams]

Peter,

I am also relatively new at e-smith. I had e-smith 3.x serving a public dns file beautifully... alas, the hackers exploited the vulnerability of named and trashed the system. I scrapped it and started with e-smith 4.1.1 (I think??) about two weeks ago. I have it serving my domain DNS inside (like before, I cheated and pasted the text of my old named files into the various templates called "template-begin"). I can't get it to publish this to outside like the old e-smith allowed me to. I just haven't had time to look into the firewall side of things... I suspect it ignores requests from the outside world on port 53, only allowing DNS queries from my inside range of IP addresses.

I have figured that if I can allow queries from port 53 to be answered to outside (and just maybe logged this time!), then my DNS will work as it did before. Sounds like I am in a similar boat to you... I have registered my authoritive server's IP address as answering for that domain, but it is ignoring all requests on port 53. I hadn't thought of, and don't know why you would want to, run a second named. I was looking to the packet-filtering side of things to allow port 53 to work with my internal named... after all, this configuration is chrooted into a jail, and uses a non-root user, so it should be more secure than before. Just in case I am naive, I have a script doing an md5sum every ten minutes, and reporting differences (at the moment I have it shutting down if it finds a difference, just in case my previous visitors still have some inside info on me that makes it easier to break in a second time)!!


Gary Williams

[Peter Gandert]

Hello Garry

The point is, if you use your internal DNS, that the private-net-IP-addresses will be known to the outside (the internet).
The correct way is to drive a public DNS, who uses the public UIP-adresses, given from the provider.
So you can make public only the subdomains, you want to be public. Your intranet should never be public reachable, but your homepage.

My problem is only, how to create a second instance of the named in e-smith. The parameterfiles for the named are all ready, but the second instance will not come up, and nowhere is a documentation, how to do this. I have invested some days in research all over the internet; this seems to be a very unknown area.
But i don't want to buy a second computer only for driving a DNS.

What you have written about port 53, so i have seen, that this port must be uncommented in the named.conf-file to let named listen on this port.
Do you know, where in e-smith the firewall-configuration is located?
Do you know, how to allow communication on port 53?

Peter

[Fran Boon]

>Where is the place, where the named-process is started chrooted.

/etc/inittab

F

[Gary Williams]

Fran appears to be wrong about where this is chrooted, according to my system, anyway.

I'm interested in where the firewall packet filtering is scripted in e-smith, and also where DNS is chrooted.

Peter, I've never mentioned any internal IP addresses in my dns, that way no one outside has any idea about this. These are simply in local hosts files. If you do it that way, it's simple, and if that's the only reason for running a second named, I'd think about going simple! Although, I may be over simplifying things myself, excuse the pun.


Gary Williams

[Charlie Brady]

Gary Williams wrote:
 
> Fran appears to be wrong about where this is chrooted,
> according to my system, anyway.

No, he is correct, for version 4.1.x.

Charlie

[Fran Boon]

> Fran appears to be wrong about where this is chrooted,
> according to my system, anyway.

This is the configuration file that starts named (as requested & specifically responded to) for 4.x

Under 4.1.x it is chroot'd
Under 4.0 it wasn't

What version are you running, Gary?

Cheers,
F

[Fran Boon]

>where DNS is chrooted

/home/dns

That's the specific answer to the different question that *you* are asking...(again, for v4.1.x)

>where the firewall packet filtering is scripted

/etc/rc.d/init.d/masq

This is another specific answer.

I hope that you find these helpful...

Fran.

[Gary Williams]

Fran,


the last thing you wrote here was most helpful. /etc/rc.d/init.d/masq is what I was looking for. It sets up the IP firewall packet filtering for the different ports.... I just wasn't looking for the name masq, that's all.

Thanks a lot... all I have to do now is open/forward the right UDP and TCP ports to get DNS working okay, *eventually*.


Gary

[Gary Williams]

Fran,


the last thing you wrote here was most helpful. /etc/rc.d/init.d/masq is what I was looking for. It sets up the IP firewall packet filtering for the different ports.... I just wasn't looking for the name masq, that's all.

Thanks a lot... all I have to do now is open/forward the right UDP and TCP ports to get DNS working okay, *eventually*.


Gary