Bind, firewall & forward

Joseph S D Yao jsdy at cospo.osis.gov
Wed Jun 2 15:08:02 UTC 1999 

> I'm trying to configure a firewall.
> I'm using Bind 8.1.2-5 which comes with linux Redhat 5.2.
> the network looks like this :
>     bastion -----------  router ------------- internal server
>             net 1.10.10         net 192.168.300
>              (DMZ)
> the bastion host is connected to internet via another router.
> 
> I've configured bind on the bastion host (IP 1.10.10.5) with the following
> named.conf :
> options { directory "/var/named"; };
> zone "pep-esp.fr" { type master; file "named.db"; };
> zone "10.10.1.in-addr.arpa" { type master; file "named.rev"; };
> zone "." { type hint; file "named.ca"; };
> zone "0.0.127.in-addr.arpa" { type master; file "named.local"; };
> 
> I've configured bind on the internal server (IP 192.168.300.15) with the
> following named.conf :
> options {
>         directory "/var/named";
>         query-source address 1.10.10.5 port 53;
>         forward only;
>         forwarders { 1.10.10.5; };
> };
> zone "pep-esp.fr" { type master; file "named.db"; };
> zone "300.168.192.in-addr.arpa" { type master; file "named.rev"; };
> zone "0.0.127.in-addr.arpa" { type master; file "named.local"; };
> zone "." { type hint; file "named.ca"; };
> 
> This internal server was previously working correctly without the forward
> option.
> What i intend to do, is to have the internal server answering to internal hosts
> and forwarding requests concerning outside hosts to the firewall bind
> server, making only the bastion apparent to internet.
> Unfortunatally, this does not work.
> The 2 servers ping each other,
> configuring the resolv.conf of the bastion makes external resolution working
> (ie the bastion bind server is ok),
> the internal server responds correctly to internal
> queries (ie to resolv addresses in 192.168.300 network),
> BUT the internal server does not respond to requests for external hosts.

Is 1.10.10.5 the bastion host or the internal server?  The "query-
source" in the internal server's configuration says to use that as the
internal server's address when querying.  [At least, this is how I
interpreted the documentation - I don't use this with my firewalls.]
But the "forwarders" command says to send all queries to that [remote?]
host.

So, which is it?  And, since you're forwarding to the bastion host, do
you really need the "query-source"?  [Probably not.]

Incidentally, it's not a good idea to use network 1.*.*.* - it may be
"reserved" today, but it may be used tomorrow.  Use network 10.*.*.*,
or one of the other RFC 1918 "private internet" networks.

Both hosts declare that they are the master, authoritative source for
the "pep-esp.fr" domain.  Thus, they will never query each other.  I
take it that this is to separate the external DNS from the internal DNS.
The external name server is the bastion host.  The internal name server
is the internal server, and the resolv.conf on the bastion host points
to that one.  Correct?

--
Joe Yao				jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support					EMT-B
-----------------------------------------------------------------------
      This message is not an official statement of COSPO policies.

More information about the bind-users mailing list