[clue-tech] Critical BIND issues behind firewall
Mike Staver
staver at fimble.com
Mon Jan 17 14:12:13 MST 2005
>>>> BTW, I think I have the issue figured out - the problem comes from
>>>> using
>>>> Split DNS. I had my first config using split dns, and during the AXFR
>>>> zone transfers, all of them were getting transferred the local zone
>>>> files... so even the external zone files were being filled with 10.0.0
>>>> ip addresses... causing the problem. I'm not sure how to get around
>>>> this... mainly because the reason I need split dns is because when
>>>> you're behind a PIX, you can't address the remote IP address, only the
>>>> internal one.
>>>
>>>
>>>
>>>
>>> And I suppose you could use the
>>>
>>> query-source address 80.80.80.80 port 53;
>>>
>>> to force your DNS server to answer with a specific IP address.
>>>
>>> You PIX is doing static NAT for your DNS servers right?
>>
>>
>>
>> Yes, my PIX is doing static NAT... however like I said, for the
>> AXFR's, it's getting the internal zones twice - once for internal and
>> once for external. With a PIX, you can not connect to the external IP
>> on the thing and come back across the PIX. So, what happens is that
>> on my slaves, the external ips get replaced with the internal - which
>> is bad. here is my config:
>>
>> acl "internal" {
>> 127/8; 10.0.0/24;
>> };
>>
>> view "internal" {
>> query-source address 10.0.0.17;
>> match-clients { "internal"; };
>> recursion yes;
>>
>> zone "." {
>> type hint;
>> file "db.cache";
>> };
>>
>> zone "fimble.com"{
>> type slave;
>> file "db.fimble.internal";
>> masters {
>> 10.0.0.11;
>> };
>> };
>>
>> };
>>
>> view "external" {
>> match-clients { any; };
>> recursion no;
>>
>> zone "." {
>> type hint;
>> file "db.cache";
>> };
>>
>> zone "fimble.com"{
>> type slave;
>> file "db.fimble";
>> masters {
>> 10.0.0.11;
>> };
>> };
>> };
>>
>> When my slave servers query the master for the zone file for
>> fimble.com, they get the local one because that's what I told it to do
>> in my config up there... I don't know if I could tell the AXFR
>> protocol to not get the local though. Any thoughts?
>
>
> I also need to mention that I'm getting this now:
>
> an 17 13:41:05 mail named[11326]: zone fimble.com/IN: refresh:
> non-authoritative answer from master 10.0.0.11#53
After some reading and reading some more, I think I found a post that helps:
http://forums.devshed.com/t211831/s.html
Specifically this part:
----------------------------------
Notice that the way I worded my answer to the 3rd question was in the
assumption that the public slave and the private slave would be separate
servers. You are talking like you are expecting both public and private
slave zones to be on the same server. Unless the slave server has
multiple IP addresses, this just isn't possible except through advanced
TSIG related techniques, which could be tricky for me to walk you
through considering I've only read about it and have no experience with
the technique.
---------------------------------
Ah ha. This sucks, but let's me know that what I'm trying to do is
impossible. Putting both the internal and external zone slaves on one
bind server is not possible. I guess AXFR can't work like that.
--
-Mike Staver
staver at fimble.com
mstaver at globaltaxnetwork.com
More information about the clue-tech
mailing list