mail server DNS configuration questions
Andrew Falanga
af300wsm at gmail.com
Thu Sep 11 00:19:25 UTC 2008
George Davidovich wrote:
> On Sat, Sep 06, 2008 at 07:28:28PM -0600, Andrew Falanga wrote:
>
>> Well, my clients at church are still having issues and after working with
>> George, a respondant to my original questions, I think that most, if not all,
>> of my problems are related to DNS and how we've got it improperly configured.
>>
>> First, a crude drawing of how our mail server exists in the world:
>>
>> 192.168.2.x/24 72.24.23.252 "lot's of networks"
>> Private Network <--> CableOne <--> Internet
>>
>> Now, our mail server's IP is 192.168.2.23. On the router, he (the person at
>> whose house the mail server is) has IP forwarding setup so that mail get's
>> sent to our FreeBSD machine. Using dig, here's the responses:
>>
>> (from my FBSD machine at home, not the server)
>> [/usr/home/andy] -> dig +short -t MX whitneybaptist.org
>> 10 mail.whitneybaptist.org.
>> [/usr/home/andy] -> dig +short -t A whitneybaptist.org
>> 72.24.34.252
>> [/usr/home/andy] -> dig +short -x 72.24.34.252
>> 34-252.72-24-cpe.cableone.net.
>>
>> (from the church FBSD machine)
>> [/home/afalanga] -> hostname
>> whitbap
>> [/home/afalanga] -> ifconfig fxp0
>> fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>> options=8<VLAN_MTU>
>> inet 192.168.2.23 netmask 0xffffff00 broadcast 255.255.255.255
>> ether 00:d0:b7:74:87:48
>> media: Ethernet autoselect (100baseTX <full-duplex>)
>> status: active
>> [/home/afalanga] -> cat /etc/resolv.conf
>> search McCutchanLAN
>> nameserver 192.168.2.1
>>
>> It doesn't take a rocket scientist, or a computer scientist, to figure out
>> we've got DNS issues. I'm thinking that I should setup a domain within the
>> 192.168.2.0/24 network on this box. I've done this before, at work. The
>> question I've got is I've never actually integrated a domain like this to a
>> domain on the Internet. I'm thinking that we'll setup something like:
>> internal.whitneybaptist.org with hosts in that sub-domain.
>>
>> So, what would my DNS tables need to look like to make this happen. Also, to
>> any knowledgable souls here, what RFCs address these issues?
>>
>
> Hello again, Andy.
>
> What you're asking is actually a FAQ, but I'll spell things out anyway.
> The following excerpt from RFC 1918 is most relevant:
>
> If an enterprise uses the private address space, or a mix of
> private and public address spaces, then DNS clients outside of
> the enterprise should not see addresses in the private address
> space used by the enterprise, since these addresses would be
> ambiguous. One way to ensure this is to run two authority
> servers for each DNS zone containing both publically and
> privately addressed hosts. One server would be visible from the
> public address space and would contain only the subset of the
> enterprise's addresses which were reachable using public
> addresses. The other server would be reachable only from the
> private network and would contain the full set of data,
> including the private addresses and whatever public addresses
> are reachable the private network. In order to ensure
> consistency, both servers should be configured from the same
> data of which the publically visible zone only contains a
> filtered version. There is certain degree of additional
> complexity associated with providing these capabilities.
>
> That's a roundabout way of saying you can't "mix and match" private
> non-routable addresses with public addresses in the same namespace.
>
> Note the "authoritative" part. Until CableOne delegates your assigned
> netblock to your organisation, your public DNS server will not be
> authoritative (it currently isn't!) for 72.24.34.252. You can reference
> RFC 2317 (classless in-addr.arpa delegation) for how that works. As to
> why you must be authoritative, I've already pointed out off-list how Bad
> Things can happen when you're not, especially in regards to email where
> reverse lookups are integral to How Things Work.
>
I could be wrong, but I think they've done something like this. I
administered DNS on an OpenBSD machine (2 of them actually) back in
2000-2001. Since then, I've done nothing with DNS administration. I'm
wondering what I need to get from CableOne to get this done. Here's the
result of a dig, on that mail server, for the IP address 72.24.34.252:
[/home/afalanga]
-> dig -x 72.24.34.252
; <<>> DiG 9.3.3 <<>> -x 72.24.34.252
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19747
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;252.34.24.72.in-addr.arpa. IN PTR
;; ANSWER SECTION:
252.34.24.72.in-addr.arpa. 86333 IN PTR
34-252.72-24-cpe.cableone.net.
;; AUTHORITY SECTION:
24.72.in-addr.arpa. 75566 IN NS NS1.cableone.net.
24.72.in-addr.arpa. 75566 IN NS NS2.cableone.net.
;; ADDITIONAL SECTION:
NS1.cableone.net. 3507 IN A 24.116.0.201
NS2.cableone.net. 69544 IN A 24.116.0.202
;; Query time: 16 msec
;; SERVER: 192.168.2.1#53(192.168.2.1)
;; WHEN: Wed Sep 10 19:53:27 2008
;; MSG SIZE rcvd: 154
Notice that the answer section points to 34-252.72-24-cpe.cableone.net.
I don't remember the exact syntax but the delegation that our ISP did
for this, according to RFC 2317 (thanks by the way), looked very similar
to that. I wonder what it is they're doing.
> As for other RFCs, I'd suggest instead starting with a careful reading
> of the Bind ARM at http://www.isc.org/sw/bind/, followed by a once-over
> of the Bind FAQ, and possibly the FreeBSD-supplied configuration files.
> To save you some time, the following abbreviated context-specific
> examples should explain things more clearly and get you started:
>
> Example 1: Two domains and two separate (sets of) name servers:
>
> On the ns.whitneybaptist.org machine:
>
> zone "whitneybaptist.org" {
> type master;
> file "master/whitneybaptist.org";
> };
> zone "252.34.24.72.in-addr.arpa" {
> type master;
> file "master/db.72.24.34.252";
> };
>
> On the ns.internal.whitneybaptist.org machine:
>
> zone "internal.whitneybaptist.org" {
> type master;
> file "master/internal.whitneybaptist.org";
> };
> zone "1.168.192.in-addr.arpa" {
> type master;
> file "master/db.192.168.1";
> };
>
> # slave whitneybaptist.org zones here
>
> The contents of /etc/resolv.conf for internal hosts:
>
> domain internal.whitneybaptist.org
> nameserver 192.168.1.X
>
>
> Example 2: One domain and a single (set of) name server(s) employing
> Bind's "view" feature:
>
> acl "lan_hosts" { 192.168.1/24; 192.168.2/24; };
>
> key "external" {
> algorithm hmac-md5;
> secret "XXXXXXX==";
> };
>
> view "internal" {
> match-clients { !key external; lan_hosts; };
> allow-recursion { lan_hosts; };
>
> zone "whitneybaptist.org" {
> type master;
> file "master/whitneybaptist.org.internal";
> };
> zone "1.168.192.in-addr.arpa" {
> type master;
> file "master/db.192.168.1";
> };
>
> view "external" {
> match-clients { key external; any; };
> recursion no;
>
> zone "whitneybaptist.org" {
> type master;
> file "master/whitneybaptist.org.external";
> };
> zone "252.34.24.72.in-addr.arpa" {
> type master;
> file "master/db.72.24.34.252";
> };
>
> The contents of /etc/resolv.conf for internal hosts:
>
> domain whitneybaptist.org
> nameserver 72.24.34.252
>
> # Note: if 'nameserver' is NAT-ed, you'd use its
> # internal address instead
>
> You'll have to decide for yourself which approach works best for you.
>
> - If you opt for 2 domains, you'll need to reconfigure all your
> internal hosts, and then add more machines to serve up DNS for those
> hosts.
>
> - If you opt for one domain and use Bind's view feature, you can leave
> your internal hosts alone (assuming they're already part of the
> whitneybaptist.org domain) and skip the requirement for additional
> machines, but your DNS configuration will be a little more complex.
>
>
Thanks. I think I'm finally starting to wrap my mind around this and
I'm on the right track.
Andy
More information about the freebsd-questions
mailing list