[clue-tech] Critical BIND issues behind firewall
David Anselmi
anselmi at anselmi.us
Mon Jan 17 19:44:50 MST 2005
Mike Staver wrote:
[...]
> ----------------------------------
> Notice that the way I worded my answer to the 3rd question was in the
> assumption that the public slave and the private slave would be separate
> servers. You are talking like you are expecting both public and private
> slave zones to be on the same server. Unless the slave server has
> multiple IP addresses, this just isn't possible except through advanced
> TSIG related techniques, which could be tricky for me to walk you
> through considering I've only read about it and have no experience with
> the technique.
> ---------------------------------
>
> Ah ha. This sucks, but let's me know that what I'm trying to do is
> impossible. Putting both the internal and external zone slaves on one
> bind server is not possible. I guess AXFR can't work like that.
Yes, I ran into this once. But once you think about it it's obvious.
The master can only show one view to a slave. A slave can only get one
zone from a master (if it gets two, how does it distinguish between them?)
I understand the ISC guys provide support contracts. You could call and
ask them how much to implement mind-reading in BIND. ;-)
But anyway, there are a couple of ways around this.
The one I've actually used (does that make it easiest?) is to keep the
internal IPs in a different zone (like dev.fimble.com or something).
You set up internal machines to query for the internal zones and it
should be transparent enough.
You could add additional IPs to the slaves (and perhaps the master too,
to keep things consistent). The machines answer DNS with internal data
on internal IPs and with external data on external IPs (which are still
private, but different from the internal ones). If you really want to
force separation you can use different subnets (two logical networks on
one physical one) but that probably isn't necessary and will probably
confuse you (or at least make troubleshooting harder since there's more
complexity to keep in your head).
You can run the zones on separate slaves. You have or can get spare boxes.
You can run all the servers as masters and use some other mechanism to
sync their configs and data. This is the way Win 2003 does it with AD.
You may well need a config syncer anyway. quattor seems to be making
good progress and infrastructures.org probably has some other advice.
You can ask Cricket Liu what the best solution is. Last I heard he's
still doing DNS consulting. He ought to have a canned answer for your
setup by now that he'll give you cheap.
You might split your DNS between external and internal more completely.
If all your internal machines provide public services that may not be
worthwhile, but if you have (or need) another "internal" network that is
more private it might improve your security.
Probably there are others.
Dave
More information about the clue-tech
mailing list