HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Feature Requests (http://www.howtoforge.com/forums/forumdisplay.php?f=17)
-   -   BIND views : running ISPc in a port forwarded environment (http://www.howtoforge.com/forums/showthread.php?t=1638)

benbalbo 12th December 2005 02:00

BIND views : running ISPc in a port forwarded environment
 
I had a look to see if this is covered, but can't find anything.

One of my ISPConfig installs is running on a server on a DSL line in a DMZ. All incoming requests on publicIP are directed to privateIP.

This works fine when browsing to a site from outside the office, but internally, we need to connect to privateIP instead of publicIP - the router doesn't support loop-back.

What I'd like to do is configure BIND to use views in order to serve privateIPs for internal requests.

Given the relative complexity of this, I think I'll have to do this manually (or even run a separate internal DNS on a different box) but thought I might suggest this as a feature for future versions of ISPConfig.

It would require a mapping system so ISPConfig is aware that 202.202.202.202 forwards to 192.168.0.200 (for example) so internal requests can receive the 192.x.x.x address. Mapping should only be done if running in a DMZ setup such as this,

falko 12th December 2005 10:21

This isn't covered by ISPconfig yet, but you can change the named.conf manually (there's a section in it where you can make manual changes that won't be overwritten by ISPConfig).

benbalbo 13th December 2005 00:06

Quote:

Originally Posted by falko
This isn't covered by ISPconfig yet, but you can change the named.conf manually (there's a section in it where you can make manual changes that won't be overwritten by ISPConfig).

True - but this would have to be updated manually for every domain added through ISPConfig.

I like the fact that you said "yet" though :-)

tekin 9th February 2006 01:19

I agree, this would be a most useful feature, I have a similar setup and don't want to be manually editing named.conf every time I add a new website.

Is this feature likely to be added soon?

todvard 13th February 2006 11:06

Here is a small workaround how i could get "views" working in Bind. I am not a php programmer, so i decided to use bash scripts to achieve my purpose. Here is a mini howto in 7 steps for Debian (3.1) Sarge:

1. Stop ISPConfig and bind
Code:

/etc/init.d/ispconfig_server stop
/etc/init.d/bind9 stop

2. We will split /etc/bind/named.conf into 3 parts: /etc/bind/named.conf, /etc/bind/named.conf.inside, /etc/bind/named.conf.outside

named.conf should looks like this:
Code:

options {
        pid-file "/var/run/bind/run/named.pid";
        directory "/etc/bind";
        auth-nxdomain no;
        /*
        * If there is a firewall between you and nameservers you want
        * to talk to, you might need to uncomment the query-source
        * directive below.  Previous versions of BIND always asked
        * questions using port 53, but BIND 8.1 uses an unprivileged
        * port by default.
        */
        // query-source address * port 53;
};

//
// a caching only nameserver config
//

// My script is generating a hunge amount notes in your log file.
// If you want it to be forwarded to separate log file uncomment
// the following lines. Don't forget to create /var/log/named folder,
// or /var/lib/named/var/log/named if you are using bind in chroot
// enviroment.
//logging {
//        channel "default_log_channel" {
//                file "/var/log/named/bind.log" versions 8 size 2m;
//                print-category  yes;
//                print-time      yes;
//        };
//        category "default" {
//                "default_log_channel";
//        };

        category lame-servers { null; };
};

acl loopback    { 127/8; };
acl rfc1918    { 10/8; 172.16/12; 192.168/16; };

view "inside" {
        match-clients { loopback; rfc1918; };
        recursion yes;
        notify no;


zone "." {
        type hint;
        file "db.root";
};

zone "0.0.127.in-addr.arpa" {
        type master;
        file "db.local";
};



include "/etc/bind/named.conf.inside";

};



view "outside" {
        match-clients { any; };
        recursion no;
        allow-query { any; };

include "/etc/bind/named.conf.outside";

};

named.conf.inside will be generated automatically by ISPConfig, named.conf.outside will be generated by our script.
Read the commented part in named.conf file, if you want to forward log events to different file.


3. we have to change the way how ISPconfig is generating named.conf. Create backup first:
Code:

cp /root/ispconfig/isp/conf/named.conf.master /root/ispconfig/isp/conf/named.conf.master.orig
Modify /root/ispconfig/isp/conf/named.conf.master to looks like this:
Code:

<!-- BEGIN DYNAMIC BLOCK: named_reverse -->
zone "{ZONE}.in-addr.arpa" {
        type master;
        file "pri.{ZONE}.in-addr.arpa";
};
<!-- END DYNAMIC BLOCK: named_reverse -->

<!-- BEGIN DYNAMIC BLOCK: named -->
zone "{DOMAIN}" {
        type master;
        file "pri.{DOMAIN}";
};
<!-- END DYNAMIC BLOCK: named -->

<!-- BEGIN DYNAMIC BLOCK: named_slave -->
zone "{DOMAIN}" {
        type slave;
        file "sec.{DOMAIN}";
        masters { {MASTERS}; };
};
<!-- END DYNAMIC BLOCK: named_slave -->

//// MAKE MANUAL ENTRIES BELOW THIS LINE! ////

4. Create a bash script /usr/local/sbin/convert2extDNS.sh
Code:

#! /bin/sh

exit 0

WORKDIR=/etc/bind

mv $WORKDIR/named.conf.outside $WORKDIR/named.conf.outside~

# This is a dirty hack to find zone files leading with pri. and not ending with ~
for name in `cd /etc/bind; ls | grep -e '^pri.' | grep -v "~" | cut -c5-`
do
echo $name
cp $WORKDIR/out.pri.$name $WORKDIR/out.pri.$name~
cat $WORKDIR/pri.$name | sed 's/!!!INTERNAL_IP!!!/!!!EXTERNAL_IP!!!/g' > $WORKDIR/out.pri.$name

cat >> $WORKDIR/named.conf.outside <<EOF
zone "$name" {
  type master;
  file "out.pri.$name";
    allow-query { any; };
    allow-transfer {
        !!!TRANSFER_ALLOW_DNS_IP!!!;
        !!!TRANSFER_ALLOW_DNS_IP!!!;
        !!!TRANSFER_ALLOW_DNS_IP!!!;
        };
};
EOF
done

/etc/init.d/bind9 reload

Don't forget to replace in code:
!!!INTERNAL_IP!!! - with your ISPConfig servers internal IP address (eg.: 192.168.0.1)
!!!EXTERNAL_IP!!! - with your servers external IP address (eg: 61.123.123.123)
!!!TRANSFER_ALLOW_DNS_IP!!! - add in all server IPs followed by semicolon whom you want to allow transfer zone files (eg. secondary DNS servers, NIS test server IPs, etc.).

!!!!When you are done comment out "exit 0" in third row of the file.!!!


5. Include this line into crontab
Code:

*/2 *  * * *  root    /usr/local/sbin/convert2extDNS.sh 1>/dev/null 2>/dev/null

6. Start ISPConfig and bind
Code:

/etc/init.d/ispconfig_server start
/etc/init.d/bind9 start


7. Log in as admin user into ISPConfig and go to Management >> Settings >> DNS. Change "named.conf" setting from "/etc/bind/named.conf" to "/etc/bind/named.conf.inside"


Thats it. Drawbacks, my script isn't handling hosted secondary name servers, but i think it can be easily epanded. The hack to find the pir.zone file names isn't to elegant, if someone can came out with a better solution i'll be very happy.

Cheers,
T.


All times are GMT +2. The time now is 10:16.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.