Forwarding to a non-standard port

Jim Reid jim at mpn.cp.philips.com
Thu Jul 15 13:50:34 UTC 1999


>>>>> "John" == John Tan <d_name at hotmail.com> writes:

    John> I was just wondering that if you disable the recursion, then
    John> if the users on the internal network want to browse the
    John> internet, wouldn't the forwarder to the external DNS fail or
    John> did I miss out anything.

I didn't make this as explicit as I could have. I hope the comments
below clarify matters.

    Christine> From a security perspective, is it better to run my
    Christine> forwarder (intended only for my internal nameservers)
    Christine> and my external nameserver (publishes only a handful of
    Christine> hostsnames to outsiders) as two separate named
    Christine> processes listening on two interfaces?  My forwarder
    Christine> would do recursion for the internal ns, what's the harm
    Christine> if outsiders use this service too?  (load, obviously,
    Christine> but what else?) I can turn off recursion for queries
    Christine> from outside but it's unfriendly and is it standard
    Christine> practice these days?

    Jim>  It's definitely better to run two distinct name server
    Jim> processes on the baston host, one providing name service to the
    Jim> outside and one for the internal network.

    Jim> The outside name server should hold the external naming
    Jim> information ONLY and should have recursion disabled. That way
    Jim> it can only tell the outside world about the things it already
    Jim>> knows: the stuff you want to let the outside world know about
    Jim> your domain. That name server probably doesn't need to lookup
    Jim> anything else anyway.

The firewall or bastion host runs two name server processes. One is
non-recursive and listens ONLY on the external interface. It will only
deal with incoming queries for names in the external DNS for your
site. The other only listens on the internal interface and handles
requests from your internal network. However that server will accept
recursive requests. It will be able to send OUT queries via the
external interface and get replies back. Those outgoing packets will
have a source address for the internal interface (or maybe your
firewall does port/address translation on the fly) which means that
replies to those requests from external name servers come in to the
firewall and get passed to the "internal" name server, not the one
listening on the external interface.

So the internal name server can see out, but the external one can't
see in. And nobody outside can query your internal server. Name
servers on the outside can send replies to queries originating from
that internal name server OK.


More information about the bind-users mailing list