[clue-tech] Critical BIND issues behind firewall
Mike Staver
staver at fimble.com
Mon Jan 17 14:00:18 MST 2005
>>> BTW, I think I have the issue figured out - the problem comes from using
>>> Split DNS. I had my first config using split dns, and during the AXFR
>>> zone transfers, all of them were getting transferred the local zone
>>> files... so even the external zone files were being filled with 10.0.0
>>> ip addresses... causing the problem. I'm not sure how to get around
>>> this... mainly because the reason I need split dns is because when
>>> you're behind a PIX, you can't address the remote IP address, only the
>>> internal one.
>>
>>
>>
>> And I suppose you could use the
>>
>> query-source address 80.80.80.80 port 53;
>>
>> to force your DNS server to answer with a specific IP address.
>>
>> You PIX is doing static NAT for your DNS servers right?
>
>
> Yes, my PIX is doing static NAT... however like I said, for the AXFR's,
> it's getting the internal zones twice - once for internal and once for
> external. With a PIX, you can not connect to the external IP on the
> thing and come back across the PIX. So, what happens is that on my
> slaves, the external ips get replaced with the internal - which is bad.
> here is my config:
>
> acl "internal" {
> 127/8; 10.0.0/24;
> };
>
> view "internal" {
> query-source address 10.0.0.17;
> match-clients { "internal"; };
> recursion yes;
>
> zone "." {
> type hint;
> file "db.cache";
> };
>
> zone "fimble.com"{
> type slave;
> file "db.fimble.internal";
> masters {
> 10.0.0.11;
> };
> };
>
> };
>
> view "external" {
> match-clients { any; };
> recursion no;
>
> zone "." {
> type hint;
> file "db.cache";
> };
>
> zone "fimble.com"{
> type slave;
> file "db.fimble";
> masters {
> 10.0.0.11;
> };
> };
> };
>
> When my slave servers query the master for the zone file for fimble.com,
> they get the local one because that's what I told it to do in my config
> up there... I don't know if I could tell the AXFR protocol to not get
> the local though. Any thoughts?
I also need to mention that I'm getting this now:
an 17 13:41:05 mail named[11326]: zone fimble.com/IN: refresh:
non-authoritative answer from master 10.0.0.11#53
--
-Mike Staver
staver at fimble.com
mstaver at globaltaxnetwork.com
More information about the clue-tech
mailing list