[clue-tech] Critical BIND issues behind firewall

David Anselmi anselmi at anselmi.us
Mon Jan 17 19:44:50 MST 2005 

Mike Staver wrote:
[...]
> ----------------------------------
> Notice that the way I worded my answer to the 3rd question was in the 
> assumption that the public slave and the private slave would be separate 
> servers. You are talking like you are expecting both public and private 
> slave zones to be on the same server. Unless the slave server has 
> multiple IP addresses, this just isn't possible except through advanced 
> TSIG related techniques, which could be tricky for me to walk you 
> through considering I've only read about it and have no experience with 
> the technique.
> ---------------------------------
> 
> Ah ha.  This sucks, but let's me know that what I'm trying to do is 
> impossible.  Putting both the internal and external zone slaves on one 
> bind server is not possible.  I guess AXFR can't work like that.

Yes, I ran into this once.  But once you think about it it's obvious. 
The master can only show one view to a slave.  A slave can only get one 
zone from a master (if it gets two, how does it distinguish between them?)

I understand the ISC guys provide support contracts.  You could call and 
ask them how much to implement mind-reading in BIND. ;-)

But anyway, there are a couple of ways around this.

The one I've actually used (does that make it easiest?) is to keep the 
internal IPs in a different zone (like dev.fimble.com or something). 
You set up internal machines to query for the internal zones and it 
should be transparent enough.

You could add additional IPs to the slaves (and perhaps the master too, 
to keep things consistent).  The machines answer DNS with internal data 
on internal IPs and with external data on external IPs (which are still 
private, but different from the internal ones).  If you really want to 
force separation you can use different subnets (two logical networks on 
one physical one) but that probably isn't necessary and will probably 
confuse you (or at least make troubleshooting harder since there's more 
complexity to keep in your head).

You can run the zones on separate slaves.  You have or can get spare boxes.

You can run all the servers as masters and use some other mechanism to 
sync their configs and data.  This is the way Win 2003 does it with AD. 
  You may well need a config syncer anyway.  quattor seems to be making 
good progress and infrastructures.org probably has some other advice.

You can ask Cricket Liu what the best solution is.  Last I heard he's 
still doing DNS consulting.  He ought to have a canned answer for your 
setup by now that he'll give you cheap.

You might split your DNS between external and internal more completely. 
  If all your internal machines provide public services that may not be 
worthwhile, but if you have (or need) another "internal" network that is 
more private it might improve your security.

Probably there are others.

Dave

More information about the clue-tech mailing list