[clue-tech] Critical BIND issues behind firewall

Mike Staver staver at fimble.com
Mon Jan 17 14:00:18 MST 2005 

>>> BTW, I think I have the issue figured out - the problem comes from using
>>> Split DNS.  I had my first config using split dns, and during the AXFR
>>> zone transfers, all of them were getting transferred the local zone
>>> files... so even the external zone files were being filled with 10.0.0
>>> ip addresses... causing the problem.  I'm not sure how to get around
>>> this... mainly because the reason I need split dns is because when
>>> you're behind a PIX, you can't address the remote IP address, only the
>>> internal one.
>>
>>
>>
>> And I suppose you could use the
>>
>> query-source address 80.80.80.80 port 53;
>>
>> to force your DNS server to answer with a specific IP address.
>>
>> You PIX is doing static NAT for your DNS servers right?
> 
> 
> Yes, my PIX is doing static NAT... however like I said, for the AXFR's, 
> it's getting the internal zones twice - once for internal and once for 
> external.  With a PIX, you can not connect to the external IP on the 
> thing and come back across the PIX.  So, what happens is that on my 
> slaves, the external ips get replaced with the internal - which is bad. 
>  here is my config:
> 
> acl "internal" {
>         127/8; 10.0.0/24;
> };
> 
> view "internal" {
>         query-source address 10.0.0.17;
>         match-clients { "internal"; };
>         recursion yes;
> 
>         zone "." {
>           type hint;
>           file "db.cache";
>         };
> 
>         zone "fimble.com"{
>           type slave;
>           file "db.fimble.internal";
>           masters {
>                 10.0.0.11;
>           };
>         };
> 
> };
> 
> view "external" {
>         match-clients { any; };
>         recursion no;
> 
> zone "." {
>         type hint;
>         file "db.cache";
> };
> 
> zone "fimble.com"{
>        type slave;
>        file "db.fimble";
>        masters {
>                 10.0.0.11;
>         };
> };
> };
> 
> When my slave servers query the master for the zone file for fimble.com, 
> they get the local one because that's what I told it to do in my config 
> up there... I don't know if I could tell the AXFR protocol to not get 
> the local though.  Any thoughts?

I also need to mention that I'm getting this now:

an 17 13:41:05 mail named[11326]: zone fimble.com/IN: refresh: 
non-authoritative answer from master 10.0.0.11#53

-- 

                                 -Mike Staver
                                  staver at fimble.com
                                  mstaver at globaltaxnetwork.com

More information about the clue-tech mailing list