Great Circle Associates Firewalls
(April 1998)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: RE: Re[2]: Split DNS config questions
From: Michael Batchelor <Michael_Batchelor @ citysearch . com>
Date: Fri, 3 Apr 1998 16:29:20 -0800
To: firewalls @ GreatCircle . COM

As it turns out, a lot of my confusion was from an incorrect
configuration on the inside servers.  While I had a directive in
named.conf for the forwarders, I omitted the option "forward only;".
Without this option, named (BIND 8) insists on having a hints file, even
if the hints file is full of bogus info.  It will replace the hints with
whatever it finds via the forwarder. Imagine my confusion when I set the
hints file to contain (exactly!) this:

. 99999999 IN NS 99999999 IN A

And then discovered the names and addresses of all the root servers in
the named_dump.db on the inside servers!  They discovered the real root
servers via the forwarder.

Adding "forward only;" to the options section keeps named from looking
for a root server, when it should only be forwarding.  No hints file
needed.  Its cache gets filled only with the results of queries it has
satisfied.  It's kind of like a default route for DNS, as Rick Murphy
put it.  He gave me some good insights into how this is supposed to
work, and I thank him for taking the time to help me.

Here's a sanitized version of my named.conf on the inside server:

options { directory "/var/named"; forwarders {; }; forward
only; };
zone "" in { type master; file "company.hosts"; };
zone "" in { type master; file "company.10.rev"; };

The named.conf for the firewall server is even simpler (our outside DNS
is served by existing hosts at our ISP's facilities).  All it has to do
is cache and handle queries from the inside servers.

options { directory "/var/named"; };
zone "." in { type hint; file "named.cache"; };

Since we already have outside nameservers, we can tighten this up some
by setting the firewall named to allow queries only from the inside
addresses, and to bind only to the inside interface.  YMMV, of course.

I hope this summary helps someone else get split DNS setup correctly.

Indexed By Date Previous: Re: Firewalls-Digest V7 #146-Auto Answer
From: Gordy Thompson <gordy @ nytimes . com>
Next: Sniffer
From: Taufik Islam <Tislam @ acaonline . org>
Indexed By Thread Previous: Re: Split DNS config questions
From: trall @ almaden . ibm . com
Next: Spam!
From: Daniel Walsh <karsus @ geocities . com>

Search Internet Search