DNSgeek wrote:

> Hello to all...
>
> I find myself with several PC's in my LAN@home and I found the need to be
> able to create a DNS server under Linux...
>
> For sake of security, I will not post my real addresses...
>
> Here's what I have:
>
> I have foo.dyndns.org pointing to my ADSL at home... Anything I place to
> the LEFT of foo resolves to my live IP. Example: mail.foo.dyndns.org
> resolves to the same IP as foo.dyndns.org.
>
> With that said, is it possible to set up some kins of 'internal' DNS to
> resolve for the names to the LEFT of foo.dyndns.org AFTER it reaches my
> IP? Keep in mind that I have dyndns.org as a service to resolv from the
> outside.
>
> Also, please keep in mind that I'm using the 192.168.*.* private adresses
> behind my firewall.
>
> If so, please point me in the right direction to read, learn and possibly
> see examples on how to accomplish this.
>
> Bottom line: I'd like to be able to send email from the cloud to my house
> using something like: myaccount@mail.foo.dyndns.org. I'd also like to be
> able to resolve for www.foo.dyndns.org and irc.foo.dyndns.org.
>
> Thanks in advance! :-)
>
> DNSgeek

To set up a mial server you dont need to install a DNS server, that is
already done for you by dyndns,org
Technically you need a mx record but it will work without it.
You can set up a DNS server to be used by your local network only (caching
dns) but to set up a public DNS server in order to have people on the
internet resolve names using your server you will need two (different)
public IP's (1 each) for 2 DNS servers , a primary and a secondary.
You will have to set them up on the WAN side of your local network, not
behind the router or whatever cuz they need to be directly accesible.
At least thats the way it weas explained to me, I wanted to do the same
thing.
If you set up your own mail server, I recommend Postfix and BE SURE to
set it up so unauthorized people cant relay mail or your ISP will eventually
shut you down totally, for good probably. Also, enbale reverse lookups so
incomming mail has to verify the IP against the Helo strong. doing so will
eliminate almost ALL of your spam. ie HELO none will be rejected, hello
yahoo.com will be accepted IF (and only if) the incomming mail server IP
matches back to yahoo.com. If the major ISPs would do this 99% of the spam
out there would be blocked, why? because spammers never want you to know
who they are or where the mail actually originates from so they lie in the
HELO contact.
Thats my 2 cents worth
Eric

Eric,

Thank you so much for the info... I have learned that
/etc/mail/mailertable is where I can tell my internal mail server to
distribute the emails inside my private LAN... However, we're losing
track of what I'm after...

I'm after being able to resolve for www.foo.dyndns.org, or
ftp.foo.dyndns.org, or irc.foo.dyndns.org... notice the www, ftp, irc...

If I were to attempt to connect to either of these machines from the
outside (from work, for example) into my LAN... I know that
foo.dyndns.org resolves... and lastly, I want my internal LAN to resolve
for the 'ftp', 'www', 'irc', etc...

That's where I can't resolve... maybe the fact that I am using private
IP's internally.... but I know that logically it shouldn't matter...

I don't need to tell the world of DNS that I have private IP's... all I
need is for any request to the left of 'foo.dyndns.org' be resolved
internally with some kind of local, authoritative zone DNS server.

Once again, thanks for the help! :-)

DNSgeek

On Tue, 04 Nov 2003 01:39:39 -0500, Eric wrote:

> To set up a mial server you dont need to install a DNS server, that is
> already done for you by dyndns,org
> Technically you need a mx record but it will work without it. You can
> set up a DNS server to be used by your local network only (caching dns)
> but to set up a public DNS server in order to have people on the
> internet resolve names using your server you will need two (different)
> public IP's (1 each) for 2 DNS servers , a primary and a secondary. You
> will have to set them up on the WAN side of your local network, not
> behind the router or whatever cuz they need to be directly accesible. At
> least thats the way it weas explained to me, I wanted to do the same
> thing.
> If you set up your own mail server, I recommend Postfix and BE SURE to
> set it up so unauthorized people cant relay mail or your ISP will
> eventually shut you down totally, for good probably. Also, enbale
> reverse lookups so incomming mail has to verify the IP against the Helo
> strong. doing so will eliminate almost ALL of your spam. ie HELO none
> will be rejected, hello yahoo.com will be accepted IF (and only if) the
> incomming mail server IP matches back to yahoo.com. If the major ISPs
> would do this 99% of the spam out there would be blocked, why? because
> spammers never want you to know who they are or where the mail actually
> originates from so they lie in the HELO contact. Thats my 2 cents worth
> Eric

Well, different services are on different ports.
For example, if someone conects to you via ssh
then the can simply use your root domain address.
You will need to open the port 22 on your firewall/router
and forward port 22 accesses to the machine running
the ssh server and then the incomming ssh access will go
to the right place.
The real problem you have is that dyndns.org only
provides rudimentary dns services for you. You can
work around it as i have said above, but probably you
should get away from dyndns and register your own
domain name and then hire dns services, all that is
fairly cheap and will give you what you want directly.
Its what i did, i have my own domain: nameRemoved.com
and the dns i use provides records for www,nameRemoved.com
(my site is non-commercial and i use it to share
pictures with my family and friends who are scattered
all over creation) and an mx record for my mailserver.
With those in place i can control my mail (ie no spam,
ask me how:-), ok, I'll tell you the secret: in postfix
require that for all incomming mail deliveries that the
incomning IP, when reverse lookup'd matches against the
stated source in the HELO statement, reject all that
dont match),ssh to my machine from anywhere i happen to
be, get my mail via the web etc. its very nice,
But it does require me to stay on top of security updates
and watch for hack attacks. Its a never ending process of
seeing whats new, what the latest security threats are how
to prevent them, and continous study on how to tweak my various
configurations to provide the best security i can.
Buy books, and READ READ READ. And here is the number 1 tip!
Dont use Windows for any of this (and of course you wont seeing
this is a linux usenet group), its just a gigantic unstopable
security hole.

Eric

Eric,

Thanks for the help! I realize now after RTFM'ing the DNS & Bind 4th
Edition and the Cookbook that there's NO way around what I was trying to
do UNLESS I have multiple 'live' IP's on the Net... so, with that said,
I have resourced myself into splitting my services through my firewall to
some of the 22 machines I have here at home.

For now I have all my mail forwarded from my domain provider and I am
filtering it here with a mail server, allowing ports 25 and 110
accordingly... Unfortunately I cannot use my mail server as a RELAY from
the outside, but I can pop may from anywhere so I can live with that! :-)

Maybe, if/when I can afford it, I'll obtain a small block of 6 IP's and
play with 'real' DNS and zones in the future...

DNSgeek

On Wed, 05 Nov 2003 00:28:21 -0500, Eric wrote:

> Well, different services are on different ports. For example, if someone
> conects to you via ssh then the can simply use your root domain address.
> You will need to open the port 22 on your firewall/router and forward
> port 22 accesses to the machine running the ssh server and then the
> incomming ssh access will go to the right place. The real problem you
> have is that dyndns.org only provides rudimentary dns services for you.
> You can work around it as i have said above, but probably you should get
> away from dyndns and register your own domain name and then hire dns
> services, all that is fairly cheap and will give you what you want
> directly. Its what i did, i have my own domain: nameRemoved.com and the
> dns i use provides records for www,nameRemoved.com (my site is
> non-commercial and i use it to share pictures with my family and friends
> who are scattered all over creation) and an mx record for my mailserver.
> With those in place i can control my mail (ie no spam, ask me how:-),
> ok, I'll tell you the secret: in postfix require that for all incomming
> mail deliveries that the incomning IP, when reverse lookup'd matches
> against the stated source in the HELO statement, reject all that dont
> match),ssh to my machine from anywhere i happen to be, get my mail via
> the web etc. its very nice, But it does require me to stay on top of
> security updates and watch for hack attacks. Its a never ending process
> of seeing whats new, what the latest security threats are how to prevent
> them, and continous study on how to tweak my various configurations to
> provide the best security i can. Buy books, and READ READ READ. And here
> is the number 1 tip! Dont use Windows for any of this (and of course you
> wont seeing this is a linux usenet group), its just a gigantic
> unstopable security hole.
>
> Eric