[clue-tech] Critical BIND issues behind firewall
Mike Staver
staver at fimble.com
Mon Jan 17 13:51:56 MST 2005
>>BTW, I think I have the issue figured out - the problem comes from using
>>Split DNS. I had my first config using split dns, and during the AXFR
>>zone transfers, all of them were getting transferred the local zone
>>files... so even the external zone files were being filled with 10.0.0
>>ip addresses... causing the problem. I'm not sure how to get around
>>this... mainly because the reason I need split dns is because when
>>you're behind a PIX, you can't address the remote IP address, only the
>>internal one.
>
>
> And I suppose you could use the
>
> query-source address 80.80.80.80 port 53;
>
> to force your DNS server to answer with a specific IP address.
>
> You PIX is doing static NAT for your DNS servers right?
Yes, my PIX is doing static NAT... however like I said, for the AXFR's,
it's getting the internal zones twice - once for internal and once for
external. With a PIX, you can not connect to the external IP on the
thing and come back across the PIX. So, what happens is that on my
slaves, the external ips get replaced with the internal - which is bad.
here is my config:
acl "internal" {
127/8; 10.0.0/24;
};
view "internal" {
query-source address 10.0.0.17;
match-clients { "internal"; };
recursion yes;
zone "." {
type hint;
file "db.cache";
};
zone "fimble.com"{
type slave;
file "db.fimble.internal";
masters {
10.0.0.11;
};
};
};
view "external" {
match-clients { any; };
recursion no;
zone "." {
type hint;
file "db.cache";
};
zone "fimble.com"{
type slave;
file "db.fimble";
masters {
10.0.0.11;
};
};
};
When my slave servers query the master for the zone file for fimble.com,
they get the local one because that's what I told it to do in my config
up there... I don't know if I could tell the AXFR protocol to not get
the local though. Any thoughts?
--
-Mike Staver
staver at fimble.com
mstaver at globaltaxnetwork.com
More information about the clue-tech
mailing list