Why not "allow-query" in a forward zone?

Kevin Darcy kcd at daimlerchrysler.com
Thu Mar 9 18:56:21 UTC 2000

Jesper Dybdal wrote:

> Tilman Schmidt <Tilman.Schmidt at sema.de> wrote:
> >At 17:10 08.03.00 +0100, Jesper Dybdal wrote:
> >>For the sake of log files and troubleshooting, I would like the
> >>firewall itself to be able to look up names and IP addresses in
> >>the internal networks.
> >>
> >>This can be done by defining suitable "forward" zones that refer
> >>to the internal nameservers.
> >
> >That's not the way to do it. Instead, set up /etc/resolv.conf on
> >the firewall machine to use the internal nameserver instead of
> >the one running on the firewall machine itself. See the recent
> >thread "Public / Private zones - assistance please" in this
> >newsgroup.
> The situation is complicated by the fact that there are two separate internal
> networks involved.  If I put one of the internal nameservers first in
> resolv.conf, and the firewall needs to look up a name in the other internal
> network, the first internal nameserver will forward the query to the firewall
> itself, and it will eventually reply back that there is no such domain.  It
> will then not try other servers mentioned in resolv.conf.

Run a "private" instance of named on your firewall, i.e. one that only listens
to the loopback interface and/or internal interfaces, using the "listen-to"
option. Configure this nameserver to forward/stub/master/slave your internal
zones any way you want and point the firewall's resolver to it. The other
nameserver instance only serves queries from the external interface -- again,
using the "listen-to" option -- and has no knowledge of the internal domains; in
fact, for security you should probably turn off recursion for that instance and
only allow queries in your authoritative zones. When running multiple instances
of named on a machine, though, you have to be careful about things like zonefile
directories, pid files, ndc/logging channels and so forth, so that the instances
don't step on each other.

Of course, another option would be to run your "external" nameserver on a
separate machine outside of the firewall. In that case, you could still make
your firewall nameserver instance "private", but it would be a little easier to
configure and maintain.

- Kevin

More information about the bind-users mailing list