Bind behind a DMZ?
Vincent Yonemitsu
Hi,
I have Bind 9 setup behind a Firewall that is running a static
Nat(IP -
IP) not port forwarding, Normal Internal Network / DMZ type
setup.
It doesn't seem to be working. Is this kind of thing ok
to do with bind? I have done it before with other DNS Servers but this is
the first time I have used BIND. I
want it to be authoritative
for our domain on the internet, and allow for queries from our
internal network. I am able to resolve against it from our internal
network but I am unable to retrieve the domain queries from outside of the
domain.
Any tips would be appreciated.Â
Thanks.
--
Vincent Yonemitsu
Information
Technology and Infrastructure Manager
vincenty...@soilengineersltd.com
Tel. (416) 754-8515 x 270
100 Nugget Avenue
Toronto, Ontario M1S 3A7
Toll
Free Tel. (800) 268-5624 x 270
Fax: (416) 754-8516
This
message is intended only for the use of the individual to which it is
addressed and contains information that is privileged and confidential.
If
this e-mail is not intended for you, any reading, distribution,
copying,
or disclosure of this e-mail is strictly prohibited. If you
have received
this communication in error, please notify Soil
Engineers Ltd.
immediately. Soil Engineers Ltd. assumes no liability
for any unauthorized
use or alteration of the contents or
attachments of this e-mail.
Have a look at our website:
http://www.soilengineersltd.com
>
> Greetings,
> Since available, I have been using the allow-recursion clause to
limit
> recursive queries as
> appropriate for needs.
> However, after moving to 9.42 this option no longer works as
anticipated.
> Working (previously) example:
>
> acl "trusted" { array; of; IP; addresses; and; or;
netblocks; };
>
> options {
> ...
>
allow-querry { trusted; };
> allow-recursion { trusted; };
> ...
> };
>
> But the log indicates that
the recursion clause is not being honored
> eg;
> client
tr.us.ed.ip#36344: recursion not available
>
> Can
anyone shed some light on why this is happening?
>
>
Thank you for all your time and consideration in this matter.
>
> Chris
>
>
/////////////////////////////////////////////////////
> Service
provided by hitOmeter.NET internet messaging!
> .
>
>
>
>
> --
> This message has
been scanned for viruses and
> dangerous content by MailScanner,
and is
> believed to be clean.
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Kevin Darcy
lot to go on here...
- Kevin
Mark Andrews
> On Mon, 7 Jan 2008, Vincent Yonemitsu wrote:
>
> > It doesn't seem to be working. Is this kind of thing ok
> > to do with bind? I have done it before with other DNS Servers but this is
>
>
>
> eg:
>
> acl "trust" {
> localhost;
> localnets;
> 192.168.0.0/24;
> };
>
> acl "remotedns" {
> 1.2.3.4;
> 5.6.7.8;
> };
>
>
> zone "example.com" {
> type master;
> file "example.com";
> allow-update { none; };
> allow-transfer { trust; remotedns; };
> allow-query { any; };
> };
> -OR-
> zone "example.com" {
> type slave;
> file "example.com";
> masters { 1.2.3.4; };
> allow-query { any; };
> };
>
> ....It's also been years since I've changed the way I do trusted acl's,
> but I'm sure now days you don't need to include localhost or localnet as
> bind gets this from interfaces at startup and only need IP ranges
> not in the /24 (Mark? correct?)
The default is { localhost; localnets; }; for allow-query-cache
and allow-recursion. If however you set either one of these
or set allow-query the defaults are overriden with what you have
in the relevent acls.
allow-recursion and allow-query-cache cross inherit.
allow-recursion and allow-query-cache inherit from allow-query
if neither is set and allow-query is set.
Mark
> --
> Cheers
> Res
>
> mysql> update auth set Framed-IP-Address='127.0.0.127' where user= 'troll';
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_A...@isc.org
Vincent Yonemitsu
Figured it out shortly before I left work and didn't have a chance to post
back, I was missing the allow querry all, I had it restricted to my ACL
list. Thanks folks. Sometimes you just need to ask then stare at it before
you figure it out. :)
--
>
[bindlist]
Is this also true for version 9.42? Using the example above on a server we
recently changed to version 9.42 rejects recursion requests for the servers
listed in the "trusted" acl - "trust" in the above example.
from our named.conf:
acl "trusted" {
1.2.3.4; 1.2.3.5; 1.2.3.6; 1.2.3.9; 2.3.4.5; 3.4.5.6; 5.6.7.8; };
options {
...
allow-query { trusted; };
allow-recursion { trusted; };
...
};
zone "somedomain.tld" in {
type master;
file "somedomain.tld.zone";
allow-transfer { list of IP addresses }
};
Yet the log fills up with lines indicating "recursion not available"
when a /trusted/ client makes a request.
Has something changed?
Thank you.
>
>> --
>> Cheers
>> Res
>>
>> mysql> update auth set Framed-IP-Address='127.0.0.127' where user=
> 'troll';
>>
>>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark_A...@isc.org
Mark Andrews
Yes.
[bindlist]
Hello and thank you for your response.
Except /my/ copy. :(
Guess we'll have do roll back to an older version.
Thank you for all your time and consideration.
Steven Stromer
On Jan 7, 2008, at 9:25 PM, Vincent Yonemitsu wrote:
>
> Figured it out shortly before I left work and didn't have a chance
> to post
> back, I was missing the allow querry all, I had it restricted to my
> ACL
> list. Thanks folks. Sometimes you just need to ask then stare at it
> before
> you figure it out. :)
I don't really get why you'd have to allow-query all. Shouldn't
limiting requests to your ACL list work just fine?
>>> --
>>> Cheers
>>> Res
>
>>>
>>> mysql> update auth set
> Framed-IP-Address='127.0.0.127' where user=
>>> 'troll';
>>>
>>>
>> --
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE:
> +61 2 9871 4742 INTERNET: Mark_A...@isc.org
>>
>>
>>