Dns And Lamp Server On A Dmz

[The Sorrow]

Ok, i got some zrazy stuff going on....

I have a LAMP server with no content except the "It works" and myphpadmin pages. Ive attached a map of my network including about everything.

the domain is cobra.unit (not sure if it was obvious) and im trying to set up DNS to send me to my LAMP server for cobra.unit/* browser entries.

Discuss. Not sure where to go from here. DNS works, firewall works.

[Infiltrator]

For the DNS part what are you using, Windows Server or Linux BIND?

[Jason Cooper]

Which direction are you trying to connect to the LAMP from? if from within the network and the DNS is set up you just need and an 'A' record (assuming IPv4 if you want IPv6 then use an 'AAAA' record, or use both for IPv4 and IPv6) for cobra.unit that points to the servers IP address. Or you could add a CNAME record that makes cobra.unit an alias for LAMP.cobra.unit.

If you wanting external access to the LAMP server by the cobra.unit hostname then you will be in for a bit of a problem, as I don't believe that unit is a valid internet domain. You could always get a valid internet domain and point it's DNS records at your server (assuming that you have a static IP address) or use a dynamic dns service (best solution if you don't have a static IP address).

Note your external IP address will be different for your LAMP.cobra.unit server than the internal IP address (asuming you are using NAT).

[The Sorrow]

im trying to connect as a local intranet web server from LAN -> DMZ. The server is BIND9. i also have pfSense set up to allow incoming over 1337 -> 80 since Cox blocks web servers for non-business accounts. (And eh what the hell) http://70.173.111.196:1337/ is the direction you need to go. Im just trying to get local web server stuffs going.

Here are my bind config files:

/etc/bind/zones/

|-cobra.unit.db

// replace example.com with your domain name. do not forget the . after the dom$
// Also, replace ns1 with the name of your DNS server
example.com. IN SOA ns1.example.com. admin.example.com. (
// Do not modify the following lines!
2007031001
28800
3600
604800
38400
)

// Replace the following line as necessary:
// ns1 = DNS Server name
// mail = mail server name
// example.com = domain name
cobra.unit = cobra.unit
cobra.unit. IN NS thesorrow.cobra.unit.
cobra.unit. IN MX 10 mail.cobra.unit.

// Replace the IP address with the right IP addresses.
thefury IN A 10.10.1.200
theend IN A 10.10.1.254
thesorrow IN A 10.10.1.250
theboss IN A 10.10.2.100

|-rev.1.10.10.in-addr.arpa

//replace example.com with yoour domain name, ns1 with your DNS server name.
// The number before IN PTR example.com is the machine address of the DNS serve$
@ IN SOA thesorrow.cobra.unit. admin.cobra.unit. (
2007031001;
28800;
604800;
604800;
86400
)

IN NS thesorrow.cobra.unit.
1 IN PTR cobra.unit

Edited October 18, 2011 by The Sorrow

[Jason Cooper]

Assuming your web server is hosting The Lair, then it works from outside your network. So your DMZ firewall rules are working.

If you can access it locally via IP then that leaves us with the local DNS setup.

What do you get when you use nslookup to lookup cobra.unit and theboss.cobra.unit?

[Infiltrator]

Do an Nslookup against you webserver IP address to determine if BIND is resolving the IP address and the hostname correctly. If it's not working, see this article for more details on configuring BIND.

http://news.softpedia.com/news/How-to-Host-Your-Own-Domain-With-Bind9-on-Ubuntu-49585.shtml

[The Sorrow]

yep. thats the forum. ill NSLookup and post the results in a few.

It does this :

Server: UnKnown

Address: 10.10.1.250

*** UnKnown can't find theboss.cobra.unit: Server failed

Edited October 1, 2011 by The Sorrow

[Infiltrator]

yep. thats the forum. ill NSLookup and post the results in a few.

It does this :

Server: UnKnown

Address: 10.10.1.250

*** UnKnown can't find theboss.cobra.unit: Server failed

Yeah, sounds like DNS issue. Make sure your dns service is running and there are no errors in your log files. I would also suggest, checking out that link I provided you earlier on. Also when performing the nslookup query make sure the host where you issuing it from knows about your DNS server. If you do an Ifconfig it should tell you what DNS server its using for doing the DNS look ups.

[The Sorrow]

i set up my config files the same except i replaced their generic fields with my own.

[Infiltrator]

i set up my config files the same except i replaced their generic fields with my own.

I am currently installing Ubuntu as a virtual machine and will play a bit with Bind9. Will get back to you, once I have the whole thing setup and going.

[Infiltrator]

Have installed Bind9 and configured, as per this article and worked without any issues.

http://ubuntuforums.org/showthread.php?t=236093

[The Sorrow]

Woa. Hold on. TheBoss is in another network (10.10.2.0/24) I may have to add the other networks i have into the DNS entries for forward and reverse lookup.

[Infiltrator]

Woa. Hold on. TheBoss is in another network (10.10.2.0/24) I may have to add the other networks i have into the DNS entries for forward and reverse lookup.

Since its a different subnet altogether, you will need a router Or set up a second NIC on your server and assign that IP address range to it.

[The Sorrow]

so i cant just add another reverse lookup rev.2.10.10.in-addr.arpa for that network? it has to be another NIC? I know windows can be DNS for multiple IP ranges... unless im mistaken....

[Infiltrator]

so i cant just add another reverse lookup rev.2.10.10.in-addr.arpa for that network? it has to be another NIC? I know windows can be DNS for multiple IP ranges... unless im mistaken....

Technically you could add another reverse lookup rev.2.10.10 for that network, but you will need an additional NIC, because of the second subnet.

[Jason Cooper]

Technically you could add another reverse lookup rev.2.10.10 for that network, but you will need an additional NIC, because of the second subnet.

Your DNS server doesn't need a NIC per subnet it is being used for lookup from. If that was the case then corporate DNS servers would require thousands of network interfaces.

Leave the routing between subnets to routers (theEnd.cobra.unit looks like it is routing between the subnets in this case). Of course you will have to make sure that your firewall between your subnets doesn't block DNS access internally.

Edited October 4, 2011 by Jason Cooper

[Infiltrator]

Your DNS server doesn't need a NIC per subnet it is being used for lookup from. If that was the case then corporate DNS servers would require thousands of network interfaces.

Leave the routing between subnets to routers (theEnd.cobra.unit looks like it is routing between the subnets in this case). Of course you will have to make sure that your firewall between your subnets doesn't block DNS access internally.

So he is still need a router!

[Jason Cooper]

So he is still need a router!

theEnd.cobra.unit is connecting 3 subnets together and running pfSense, looks to me like a router. Or to put it another way he doesn't need another router as he has one doing the job already.

[The Sorrow]

aye. pfSense is a router and firewall

[The Sorrow]

Ok so this is my new setup. I have name resolution working for my LAN subnet but when i try pinging theboss or theboss.cobra.unit it still wont work. i have a rule allowing the DMZ addresses to look at 10.10.1.250 (thesorrow.cobra.unit) for DNS and i see flags of pfSense allowing those transmissions in the system log. Maybe ill have to hit up pfSense for some ideas with rules... idk.

/etc/bind/cobra.unit.db

$TTL 3D
@       IN      SOA     thesorrow.cobra.unit.   admin (
                        2011100311              ;serial number
                        8H                      ;refresh
                        2H                      ;retry
                        4W                      ;expiration
                        1D )                    ;
;
@               NS      thesorrow
thepain         A       10.10.1.251
thesorrow       A       10.10.1.250
thefury         A       10.10.1.200
theboss         A       10.10.2.100
theend          A       10.10.1.254
theend          A       10.10.2.254
theend          A       10.10.3.254

rev.1.10.10.in-addr.arpa

$TTL 3D
$ORIGIN 1.10.10.in-addr.arpa.
@       IN      SOA     thesorrow.cobra.unit.       admin.cobra.unit. (
                        2011100311      ;serial number
                        8H              ;refresh
                        2H              ;retry
                        4W              ;expiration
                        1D )            ;
;
                NS      thesorrow.cobra.unit.       ;thesorrow
;
100      PTR     thefury.cobra.unit.
251      PTR     thepain.cobra.unit.
254      PTR     theend.cobra.unit.
250      PTR     thesorrow.cobra.unit

rev.2.10.10.in-addr.arpa

$TTL 3D
$ORIGIN 1.10.10.in-addr.arpa.
@       IN      SOA     thesorrow.cobra.unit.       admin.cobra.unit. (
                        2011100311      ;serial number
                        8H              ;refresh
                        2H              ;retry
                        4W              ;expiration
                        1D )            ;
;
                NS      thesorrow.cobra.unit.       ;thesorrow
;
100      PTR     theboss.cobra.unit