Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Feature Requests

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 12th December 2005, 02:00
benbalbo benbalbo is offline
Member
 
Join Date: Oct 2005
Posts: 50
Thanks: 0
Thanked 4 Times in 4 Posts
Default BIND views : running ISPc in a port forwarded environment

I had a look to see if this is covered, but can't find anything.

One of my ISPConfig installs is running on a server on a DSL line in a DMZ. All incoming requests on publicIP are directed to privateIP.

This works fine when browsing to a site from outside the office, but internally, we need to connect to privateIP instead of publicIP - the router doesn't support loop-back.

What I'd like to do is configure BIND to use views in order to serve privateIPs for internal requests.

Given the relative complexity of this, I think I'll have to do this manually (or even run a separate internal DNS on a different box) but thought I might suggest this as a feature for future versions of ISPConfig.

It would require a mapping system so ISPConfig is aware that 202.202.202.202 forwards to 192.168.0.200 (for example) so internal requests can receive the 192.x.x.x address. Mapping should only be done if running in a DMZ setup such as this,
Reply With Quote
Sponsored Links
  #2  
Old 12th December 2005, 10:21
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,736 Times in 2,571 Posts
Default

This isn't covered by ISPconfig yet, but you can change the named.conf manually (there's a section in it where you can make manual changes that won't be overwritten by ISPConfig).
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 13th December 2005, 00:06
benbalbo benbalbo is offline
Member
 
Join Date: Oct 2005
Posts: 50
Thanks: 0
Thanked 4 Times in 4 Posts
Default

Quote:
Originally Posted by falko
This isn't covered by ISPconfig yet, but you can change the named.conf manually (there's a section in it where you can make manual changes that won't be overwritten by ISPConfig).
True - but this would have to be updated manually for every domain added through ISPConfig.

I like the fact that you said "yet" though :-)
Reply With Quote
  #4  
Old 9th February 2006, 01:19
tekin tekin is offline
Junior Member
 
Join Date: Feb 2006
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I agree, this would be a most useful feature, I have a similar setup and don't want to be manually editing named.conf every time I add a new website.

Is this feature likely to be added soon?
Reply With Quote
  #5  
Old 13th February 2006, 11:06
todvard todvard is offline
Member
 
Join Date: Aug 2005
Posts: 85
Thanks: 1
Thanked 6 Times in 5 Posts
Default

Here is a small workaround how i could get "views" working in Bind. I am not a php programmer, so i decided to use bash scripts to achieve my purpose. Here is a mini howto in 7 steps for Debian (3.1) Sarge:

1. Stop ISPConfig and bind
Code:
/etc/init.d/ispconfig_server stop
/etc/init.d/bind9 stop
2. We will split /etc/bind/named.conf into 3 parts: /etc/bind/named.conf, /etc/bind/named.conf.inside, /etc/bind/named.conf.outside

named.conf should looks like this:
Code:
options {
        pid-file "/var/run/bind/run/named.pid";
        directory "/etc/bind";
        auth-nxdomain no;
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
        // query-source address * port 53;
};

//
// a caching only nameserver config
//

// My script is generating a hunge amount notes in your log file.
// If you want it to be forwarded to separate log file uncomment
// the following lines. Don't forget to create /var/log/named folder, 
// or /var/lib/named/var/log/named if you are using bind in chroot
// enviroment.
//logging {
//        channel "default_log_channel" {
//                file "/var/log/named/bind.log" versions 8 size 2m;
//                print-category  yes;
//                print-time      yes;
//        };
//        category "default" {
//                "default_log_channel";
//        };

        category lame-servers { null; };
};

acl loopback    { 127/8; };
acl rfc1918     { 10/8; 172.16/12; 192.168/16; };

view "inside" {
        match-clients { loopback; rfc1918; };
        recursion yes;
        notify no;


zone "." {
        type hint;
        file "db.root";
};

zone "0.0.127.in-addr.arpa" {
        type master;
        file "db.local";
};



include "/etc/bind/named.conf.inside";

};



view "outside" {
        match-clients { any; };
        recursion no;
        allow-query { any; };

include "/etc/bind/named.conf.outside";

};
named.conf.inside will be generated automatically by ISPConfig, named.conf.outside will be generated by our script.
Read the commented part in named.conf file, if you want to forward log events to different file.


3. we have to change the way how ISPconfig is generating named.conf. Create backup first:
Code:
cp /root/ispconfig/isp/conf/named.conf.master /root/ispconfig/isp/conf/named.conf.master.orig
Modify /root/ispconfig/isp/conf/named.conf.master to looks like this:
Code:
<!-- BEGIN DYNAMIC BLOCK: named_reverse -->
zone "{ZONE}.in-addr.arpa" {
        type master;
        file "pri.{ZONE}.in-addr.arpa";
};
<!-- END DYNAMIC BLOCK: named_reverse -->

<!-- BEGIN DYNAMIC BLOCK: named -->
zone "{DOMAIN}" {
        type master;
        file "pri.{DOMAIN}";
};
<!-- END DYNAMIC BLOCK: named -->

<!-- BEGIN DYNAMIC BLOCK: named_slave -->
zone "{DOMAIN}" {
        type slave;
        file "sec.{DOMAIN}";
        masters { {MASTERS}; };
};
<!-- END DYNAMIC BLOCK: named_slave -->

//// MAKE MANUAL ENTRIES BELOW THIS LINE! ////
4. Create a bash script /usr/local/sbin/convert2extDNS.sh
Code:
#! /bin/sh

exit 0

WORKDIR=/etc/bind

mv $WORKDIR/named.conf.outside $WORKDIR/named.conf.outside~

# This is a dirty hack to find zone files leading with pri. and not ending with ~
for name in `cd /etc/bind; ls | grep -e '^pri.' | grep -v "~" | cut -c5-`
do
echo $name
cp $WORKDIR/out.pri.$name $WORKDIR/out.pri.$name~
cat $WORKDIR/pri.$name | sed 's/!!!INTERNAL_IP!!!/!!!EXTERNAL_IP!!!/g' > $WORKDIR/out.pri.$name

cat >> $WORKDIR/named.conf.outside <<EOF
zone "$name" {
   type master;
   file "out.pri.$name";
    allow-query { any; };
    allow-transfer {
        !!!TRANSFER_ALLOW_DNS_IP!!!;
        !!!TRANSFER_ALLOW_DNS_IP!!!;
        !!!TRANSFER_ALLOW_DNS_IP!!!;
        };
};
EOF
done

/etc/init.d/bind9 reload
Don't forget to replace in code:
!!!INTERNAL_IP!!! - with your ISPConfig servers internal IP address (eg.: 192.168.0.1)
!!!EXTERNAL_IP!!! - with your servers external IP address (eg: 61.123.123.123)
!!!TRANSFER_ALLOW_DNS_IP!!! - add in all server IPs followed by semicolon whom you want to allow transfer zone files (eg. secondary DNS servers, NIS test server IPs, etc.).

!!!!When you are done comment out "exit 0" in third row of the file.!!!


5. Include this line into crontab
Code:
*/2 *   * * *   root    /usr/local/sbin/convert2extDNS.sh 1>/dev/null 2>/dev/null

6. Start ISPConfig and bind
Code:
/etc/init.d/ispconfig_server start
/etc/init.d/bind9 start

7. Log in as admin user into ISPConfig and go to Management >> Settings >> DNS. Change "named.conf" setting from "/etc/bind/named.conf" to "/etc/bind/named.conf.inside"


Thats it. Drawbacks, my script isn't handling hosted secondary name servers, but i think it can be easily epanded. The hack to find the pir.zone file names isn't to elegant, if someone can came out with a better solution i'll be very happy.

Cheers,
T.

Last edited by todvard; 13th February 2006 at 11:10.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 11:08.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.