[clue-tech] Critical BIND issues behind firewall

Mike Staver mikestaver at hotmail.com
Mon Jan 17 11:02:15 MST 2005 

Sorry for the repost if this is one.... I asked a bind question from the 
email account which is having dns problems - so obviously I'm not getting 
any mail back to that account, so I'm sending from this one.  Sorry if it's 
a dupe...

Ok, here is my problem - I have two dns servers, 64.242.89.11 and 
64.242.89.17.  They are both behind a PIX firewall, with local IPs of 
10.0.0.11 and 10.0.0.17.  The config for .11 looks like this:

options {
        dump-file "/var/log/named_dump.db";
        statistics-file "/var/log/named.stats";
        listen-on-v6 { none; };
        notify yes;
};

zone "." {
        type hint;
        file "db.cache";
};

zone "89.242.64.in-addr.arpa"{
        type master;
        file "db.89.242.64";
        allow-transfer {
                10.0.0.11;
                10.0.0.12;
                10.0.0.10;
                10.0.0.14;
                10.0.0.17;
        };
};

zone "fimble.com"{
        type master;
        file "db.fimble";
        allow-transfer {
                10.0.0.12;
                10.0.0.10;
                10.0.0.14;
                10.0.0.17;
        };
};

Then the zone file for fimble.com looks like:

$TTL 86400
@               IN      SOA     www.fimble.com. support.fimble.com. (
                        2002018988 ; serial
                        10800 ; refresh
                        3600 ; retry
                        604800 ; expire
                        86400 ; default_ttl
                        )
fimble.com.      IN      A      64.242.89.17
@                IN      MX     1       mail.fimble.com.
@                IN      NS     dns.fimble.com.
@                IN      NS     fimble.com.
dns              IN      A      64.242.89.11
www              IN      A      64.242.89.17
mail             IN      A      64.242.89.17

; Here is the SPF setup
fimble.com. IN TXT "v=spf1 ip4:64.242.89.0/24 a mx ptr 
include:globaltaxnetwork.com ~all"
mail.fimble.com. IN TXT "v=spf1 a -all"

What I can't figure out is why I can't query 64.242.89.11 from the outside 
of my firewall today.  Try running:

nslookup www.fimble.com 64.242.89.11

or

nslookup www.fimble.com 64.242.89.17

My firewall is allowing dns queries to that box in and out.  Internally, I 
can run this:

kenny:/var/lib/named # nslookup www.fimble.com 10.0.0.11
Note:  nslookup is deprecated and may be removed from future releases.
Consider using the `dig' or `host' programs instead.  Run nslookup with
the `-sil[ent]' option to prevent this message from appearing.
Server:         10.0.0.11
Address:        10.0.0.11#53

Name:   www.fimble.com
Address: 64.242.89.17

Is there something I'm missing with my firewall??  here is the Bind start up 
log information on .11:

Jan 17 11:31:36 kenny named[3913]: loading configuration from 
'/etc/named.conf'
Jan 17 11:31:36 kenny named[3913]: listening on IPv4 interface lo, 
127.0.0.1#53
Jan 17 11:31:36 kenny named[3913]: listening on IPv4 interface eth0, 
10.0.0.11#53
Jan 17 11:31:36 kenny named[3913]: command channel listening on 
127.0.0.1#953
Jan 17 11:31:36 kenny named[3913]: command channel listening on ::1#953
Jan 17 11:31:36 kenny named[3913]: zone 89.242.64.in-addr.arpa/IN: loaded 
serial 15
Jan 17 11:31:36 kenny named[3913]: zone fimble.com/IN: loaded serial 
2002018988
Jan 17 11:31:36 kenny named[3913]: zone 89.242.64.in-addr.arpa/IN: sending 
notifies (serial 15)
Jan 17 11:31:36 kenny named[3913]: zone fimble.com/IN: sending notifies 
(serial 2002018988)

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar – get it now! 
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/

More information about the clue-tech mailing list