[clue-tech] Critical BIND issues behind firewall
Mike Staver
staver at fimble.com
Mon Jan 17 14:54:25 MST 2005
>>view "external" {
>> match-clients { any; };
>> recursion no;
>>
>>zone "." {
>> type hint;
>> file "db.cache";
>>};
>>
>>zone "fimble.com"{
>> type slave;
>> file "db.fimble";
>> masters {
>> 10.0.0.11;
>> };
>>};
>>};
>>
>>When my slave servers query the master for the zone file for fimble.com,
>>they get the local one because that's what I told it to do in my config
>>up there... I don't know if I could tell the AXFR protocol to not get
>>the local though. Any thoughts?
>
>
> Ok, now I see what you're saying... the "10.0.0.11" is in your external
> view and you have to have it that way because the PIX won't let internal
> clients hit the external static NAT address.
>
> That's a pickle. I'm sure there's a way to get around that problem though,
> this has to be fairly common. I'd have run into the same issue except my
> secondary DNS is off site, so when I put the public IP address in where
> you have "10.0.0.11" it works.
>
> If you haven't tried it, you could put your DNS servers public IP address
> in there just to see what happens... but it sounds like you have already
> done that and it breaks your slaves.
Yep, it breaks them. What I have to do is have 2 sets of slaves. One
set for external and one for internal. That stinks, it means things
like a new switch and 2 new machines outside of my PIX. I've researched
the hell out of this issue today, and I'm getting burned out by it - so
if anybody runs across a solution to this and doesn't involve 2 new dns
servers, I'm all ears. Thanks for the input Chris.
--
-Mike Staver
staver at fimble.com
mstaver at globaltaxnetwork.com
More information about the clue-tech
mailing list