mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-27 16:49:05 +01:00
207 lines
7.3 KiB
XML
207 lines
7.3 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
|
<article>
|
|
<!--$Id$-->
|
|
|
|
<articleinfo>
|
|
<title>Simple way to set up Split DNS</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
|
|
|
<copyright>
|
|
<year>2008</year>
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
License</ulink></quote>.</para>
|
|
</legalnotice>
|
|
</articleinfo>
|
|
|
|
<section>
|
|
<title>What is Split DNS</title>
|
|
|
|
<para><firstterm>Split DNS</firstterm> is simply a configuration in which
|
|
the IP address to which a DNS name resolves is dependent on the location
|
|
of the client. It is most often used in a NAT environment to insure that
|
|
local clients resolve the DNS names of local servers to their RFC 1918
|
|
addresses while external clients resolve the same server names to their
|
|
public counterparts.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Why would I want to use Split DNS?</title>
|
|
|
|
<para>See <ulink url="FAQ.htm#faq2">Shorewall FAQ 2</ulink>.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Setting up Split DNS</title>
|
|
|
|
<para>Setting up Split DNS is extremely simple:</para>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Be sure that your firewall/router can resolve external DNS
|
|
names.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Install the <emphasis role="bold">dnsmasq</emphasis> package
|
|
(<ulink
|
|
url="http://www.thekelleys.org.uk/dnsmasq/doc.html">http://www.thekelleys.org.uk/dnsmasq/doc.htm</ulink>l)
|
|
and arrange for it to start at boot time. There are many dnsmasq
|
|
HOWTOs on the Internet.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Add your local hosts to <filename>/etc/hosts</filename> on the
|
|
firewall/router using their local RFC 1918 addresses. Here's an
|
|
example:<programlisting>#
|
|
# hosts This file describes a number of hostname-to-address
|
|
# mappings for the TCP/IP subsystem. It is mostly
|
|
# used at boot time, when no name servers are running.
|
|
# On small systems, this file can be used instead of a
|
|
# "named" name server.
|
|
# Syntax:
|
|
#
|
|
# IP-Address Full-Qualified-Hostname Short-Hostname
|
|
#
|
|
|
|
127.0.0.1 localhost
|
|
|
|
<emphasis role="bold">172.20.0.1 openvpn.shorewall.net openvpn
|
|
172.20.0.2 vpn02.shorewall.net vpn02
|
|
172.20.0.3 vpn03.shorewall.net vpn03
|
|
172.20.0.4 vpn04.shorewall.net vpn04
|
|
172.20.0.5 vpn05.shorewall.net vpn05
|
|
172.20.0.6 vpn06.shorewall.net vpn06
|
|
172.20.0.7 vpn07.shorewall.net vpn07
|
|
172.20.0.8 vpn08.shorewall.net vpn08
|
|
172.20.0.9 vpn09.shorewall.net vpn09
|
|
172.20.0.10 vpn10.shorewall.net vpn10
|
|
172.20.0.11 vpn11.shorewall.net vpn11
|
|
172.20.0.12 vpn12.shorewall.net vpn12
|
|
172.20.0.13 vpn13.shorewall.net vpn13
|
|
172.20.0.14 vpn14.shorewall.net vpn14
|
|
172.20.0.15 vpn15.shorewall.net vpn15
|
|
172.20.0.16 vpn16.shorewall.net vpn16
|
|
|
|
172.20.1.1 linksys.shorewall.net linksys
|
|
172.20.1.100 hp8500.shorewall.net hp8500
|
|
172.20.1.102 ursa.shorewall.net ursa
|
|
172.20.1.105 tarry.shorewall.net tarry
|
|
172.20.1.107 teastep.shorewall.net teastep
|
|
172.20.1.109 hpmini.shorewall.net hpmini
|
|
|
|
172.20.1.130 lanursa.shorewall.net lanursa
|
|
172.20.1.131 wookie.shorewall.net wookie
|
|
172.20.1.132 tipper.shorewall.net tipper
|
|
172.20.1.133 nasty.shorewall.net nasty
|
|
172.20.1.134 ursadog.shorewall.net ursadog
|
|
172.20.1.135 opensuse.shorewall.net opensuse
|
|
172.20.1.136 centos.shorewall.net centos
|
|
172.20.1.137 fedora.shorewall.net fedora
|
|
172.20.1.138 debian.shorewall.net debian
|
|
172.20.1.139 archlinux.shorewall.net archlinux
|
|
172.20.1.140 foobar.shorewall.net foobar
|
|
172.20.1.141 deblap.shorewall.net deblap
|
|
172.20.1.254 firewall.shorewall.net firewall
|
|
|
|
206.124.146.254 blarg.shorewall.net blarg
|
|
</emphasis>
|
|
# special IPv6 addresses
|
|
::1 localhost ipv6-localhost ipv6-loopback
|
|
|
|
fe00::0 ipv6-localnet
|
|
|
|
ff00::0 ipv6-mcastprefix
|
|
ff02::1 ipv6-allnodes
|
|
ff02::2 ipv6-allrouters
|
|
ff02::3 ipv6-allhosts
|
|
|
|
<emphasis role="bold">2002:ce7c:92b4::1 gateway6.shorewall.net gateway6
|
|
2002:ce7c:92b4:1::2 mail6.shorewall.net mail6
|
|
2002:ce7c:92b4:1::2 lists6.shorewall.net lists6
|
|
2002:ce7c:92b4:2::2 server6.shorewall.net server6</emphasis>
|
|
|
|
</programlisting></para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para> If your local hosts are configured using DHCP, that is a simple
|
|
one-line change to the DHCP configuration.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
|
|
<para><emphasis role="bold">And that's it!</emphasis> Your local clients
|
|
will resolve those names in the firewall/router's
|
|
<filename>/etc/hosts</filename> file as defined in that file. All other
|
|
names will be resolved using the firewall/router's Name Server as defined
|
|
in <filename>/etc/resolv.conf</filename>.</para>
|
|
|
|
<para>Example:</para>
|
|
|
|
<para>From an Internet Host:<programlisting>gateway:~ # host linksys.shorewall.net
|
|
linksys.shorewall.net has address 206.124.146.180
|
|
gateway:~ # </programlisting></para>
|
|
|
|
<para>From Tipper (192.168.1.132):<programlisting>teastep@tipper:~$ host linksys
|
|
linksys.shorewall.net has address 172.20.1.1
|
|
teastep@tipper:~$ </programlisting></para>
|
|
|
|
<para>As a bonus, dnsmasq can also act as a DHCP server. Here are some
|
|
exerpts from the corresponding /etc/dnsmasq.conf:</para>
|
|
|
|
<programlisting>interface=eth1
|
|
|
|
dhcp-range=172.20.1.210,172.20.1.219,24h
|
|
|
|
dhcp-host=00:11:85:89:da:9b,172.20.1.220
|
|
|
|
dhcp-host=00:1A:73:DB:8C:35,172.20.1.102
|
|
dhcp-host=00:25:B3:9F:5B:FD,172.20.1.100
|
|
dhcp-host=00:1F:E1:07:53:CA,172.20.1.105
|
|
dhcp-host=00:1F:29:7B:04:04,172.20.1.107
|
|
dhcp-host=00:24:2b:59:96:e2,172.20.1.109
|
|
|
|
dhcp-host=00:1B:24:CB:2B:CC,172.20.1.130
|
|
dhcp-host=00:21:5a:22:ac:e0,172.20.1.131
|
|
dhcp-host=08:00:27:B1:46:a9,172.20.1.132
|
|
dhcp-host=08:00:27:31:45:83,172.20.1.133
|
|
dhcp-host=08:00:27:28:64:50,172.20.1.134
|
|
dhcp-host=08:00:27:4b:38:88,172.20.1.135
|
|
dhcp-host=08:00:27:f6:4d:65,172.20.1.136
|
|
dhcp-host=08:00:27:dc:cd:94,172.20.1.137
|
|
dhcp-host=08:00:27:0f:d3:8f,172.20.1.138
|
|
dhcp-host=08:00:27:42:9c:01,172.20.1.139
|
|
dhcp-host=08:00:27:5a:6c:d8,172.20.1.140
|
|
dhcp-host=08:00:27:da:96:78,172.20.1.141
|
|
|
|
dhcp-option=19,0 # option ip-forwarding off
|
|
dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
|
|
dhcp-option=45,0.0.0.0 # netbios datagram distribution server
|
|
dhcp-option=46,8 # netbios node type
|
|
dhcp-option=47 # empty netbios scope.
|
|
|
|
dhcp-option=option:domain-search,shorewall.net
|
|
</programlisting>
|
|
</section>
|
|
</article>
|