Solved problem serving dns server to outside

Hi, the scenario is this:

I have a web page, and my public dns provider give me two DNS , ok , in my LAN i have two servers(bare bone)
these with the public ip of my dns provider, example : server1-dns1, 200.65.11.xxx server2-dns2,200.43.11.xxx
only with this simple rules of PF

Code:
$ip1=200.65.11.xxx
#191.168.1.250 is the ip of Pfsense
rdr pass log(all)  on $ext_if proto {udp,tcp}   from any to $ip1  port 53 -> 191.168.1.250  port 53
(I cut the rest because make no sense posting all, and I use pass,I know is not good)
and that rules is replicated in the other server

and behind that is Pfsense with Haproxy and Bind
everything is working fine

but I got a new server, with 4 ethernet cards , so why no put the 2 servers(really are 2 pc's) into one?
but when I put everyting together,the web page is not resolved, and logically every subdomain xxx.webpage.com either

the public IP that give my provider came from 2 diferent routers, with the mask 255.255.255.248
maybe is that? network mask conflict?
 
So I'm having a lot of trouble following what you wrote, but am going to take a wild stab at it anyway.

Did you add gateway_enable="YES" to your /etc/rc.conf?
 

cy@

Developer
It's best practice not to use your primary name server to service DNS requests. Ideally you should have two external DNSs, both of which receive zone transfers from your secured name server inside your firewall.

Personally, I wouldn't trust running named or for that matter any nameserver behind my firewall.

The other thing to consider would be to run a split DNS, where the exterior sees a subset of what your local network can see. Some organizatons set up dummy TLDs internally (one customer of mine and my employer do this) while I prefer to use the same TLD except that with the external DNS, only some records are visible. IMO the second approach tends to confuse your end users less however your support staff must keep it straight in their mind which DNS they're working with when working on tickets.

Just a thought.
 
So I'm having a lot of trouble following what you wrote, but am going to take a wild stab at it anyway.

Did you add gateway_enable="YES" to your /etc/rc.conf?
yes,and is working fine
It's best practice not to use your primary name server to service DNS requests. Ideally you should have two external DNSs, both of which receive zone transfers from your secured name server inside your firewall.

Personally, I wouldn't trust running named or for that matter any nameserver behind my firewall.

The other thing to consider would be to run a split DNS, where the exterior sees a subset of what your local network can see. Some organizatons set up dummy TLDs internally (one customer of mine and my employer do this) while I prefer to use the same TLD except that with the external DNS, only some records are visible. IMO the second approach tends to confuse your end users less however your support staff must keep it straight in their mind which DNS they're working with when working on tickets.

Just a thought.

beside the 2 public dns, I have one for the local network, is a good way to block sites,is not a layer7 firewall but its do his job
 

SirDice

Administrator
Staff member
Administrator
Moderator
so why no put the 2 servers(really are 2 pc's) into one?
You are supposed to have 2 servers (preferably on two different upstream connections) in case one of them drops off the network (for whatever reason). You have two DNS servers for some basic/simple fault tolerance. Putting both servers on one machine kind of defeats this.
 
When you say "two public dns" do you mean you're running two instances of BIND (or unbound, or whatever)? Single name server with multiple zones? Something else?

You've got two public IPs? They were assigned to the same interface before and now are assigned to different interfaces? Can we see your IP address configuration from /etc/rc.conf?

Code:
rdr pass log(all)  on $ext_if proto {udp,tcp}   from any to $ip1  port 53 -> 191.168.1.250  port 53

The address 191.168.1.250 is very close to being in an RFC 1918 range, but not quite. Is that supposed to be 192.168.1.250?
 
When you say "two public dns" do you mean you're running two instances of BIND (or unbound, or whatever)? Single name server with multiple zones? Something else?

You've got two public IPs? They were assigned to the same interface before and now are assigned to different interfaces? Can we see your IP address configuration from /etc/rc.conf?

Code:
rdr pass log(all)  on $ext_if proto {udp,tcp}   from any to $ip1  port 53 -> 191.168.1.250  port 53

The address 191.168.1.250 is very close to being in an RFC 1918 range, but not quite. Is that supposed to be 192.168.1.250?
sorry,the ip address is fake,just for this post

with public dns I mean the dns1 and dns2 declared on my public dns provider , nic.ar in my country
 
You are supposed to have 2 servers (preferably on two different upstream connections) in case one of them drops off the network (for whatever reason). You have two DNS servers for some basic/simple fault tolerance. Putting both servers on one machine kind of defeats this.

you have right , at the end, we decide to put one router in one dns and the other in the server
 
Top