[clue-tech] Critical BIND issues behind firewall

Mike Staver staver at fimble.com
Mon Jan 17 10:39:56 MST 2005 

Ok, here is my problem - I have two dns servers, 64.242.89.11 and 
64.242.89.17.  They are both behind a PIX firewall, with local IPs of 
10.0.0.11 and 10.0.0.17.  The config for .11 looks like this:

options {
         dump-file "/var/log/named_dump.db";
         statistics-file "/var/log/named.stats";
         listen-on-v6 { none; };
         notify yes;
};

zone "." {
         type hint;
         file "db.cache";
};

zone "89.242.64.in-addr.arpa"{
         type master;
         file "db.89.242.64";
         allow-transfer {
                 10.0.0.11;
                 10.0.0.12;
                 10.0.0.10;
                 10.0.0.14;
                 10.0.0.17;
         };
};

zone "fimble.com"{
         type master;
         file "db.fimble";
         allow-transfer {
                 10.0.0.12;
                 10.0.0.10;
                 10.0.0.14;
                 10.0.0.17;
         };
};

Then the zone file for fimble.com looks like:

$TTL 86400
@               IN      SOA     www.fimble.com. support.fimble.com. (
                         2002018988 ; serial
                         10800 ; refresh
                         3600 ; retry
                         604800 ; expire
                         86400 ; default_ttl
                         )
fimble.com.      IN      A      64.242.89.17
@                IN      MX     1       mail.fimble.com.
@                IN      NS     dns.fimble.com.
@                IN      NS     fimble.com.
dns              IN      A      64.242.89.11
www              IN      A      64.242.89.17
mail             IN      A      64.242.89.17

; Here is the SPF setup
fimble.com. IN TXT "v=spf1 ip4:64.242.89.0/24 a mx ptr 
include:globaltaxnetwork.com ~all"
mail.fimble.com. IN TXT "v=spf1 a -all"

What I can't figure out is why I can't query 64.242.89.11 from the 
outside of my firewall today.  Try running:

nslookup www.fimble.com 64.242.89.11

or

nslookup www.fimble.com 64.242.89.17

My firewall is allowing dns queries to that box in and out.  Internally, 
I can run this:

kenny:/var/lib/named # nslookup www.fimble.com 10.0.0.11
Note:  nslookup is deprecated and may be removed from future releases.
Consider using the `dig' or `host' programs instead.  Run nslookup with
the `-sil[ent]' option to prevent this message from appearing.
Server:         10.0.0.11
Address:        10.0.0.11#53

Name:   www.fimble.com
Address: 64.242.89.17

Is there something I'm missing with my firewall??  here is the Bind 
start up log information on .11:

Jan 17 11:31:36 kenny named[3913]: loading configuration from 
'/etc/named.conf'
Jan 17 11:31:36 kenny named[3913]: listening on IPv4 interface lo, 
127.0.0.1#53
Jan 17 11:31:36 kenny named[3913]: listening on IPv4 interface eth0, 
10.0.0.11#53
Jan 17 11:31:36 kenny named[3913]: command channel listening on 
127.0.0.1#953
Jan 17 11:31:36 kenny named[3913]: command channel listening on ::1#953
Jan 17 11:31:36 kenny named[3913]: zone 89.242.64.in-addr.arpa/IN: 
loaded serial 15
Jan 17 11:31:36 kenny named[3913]: zone fimble.com/IN: loaded serial 
2002018988
Jan 17 11:31:36 kenny named[3913]: zone 89.242.64.in-addr.arpa/IN: 
sending notifies (serial 15)
Jan 17 11:31:36 kenny named[3913]: zone fimble.com/IN: sending notifies 
(serial 2002018988)

-- 

                                 -Mike Staver
                                  staver at fimble.com
                                  mstaver at globaltaxnetwork.com

More information about the clue-tech mailing list