two nameservers

Joseph S D Yao jsdy at cospo.osis.gov
Fri May 19 20:39:37 UTC 2000


On Fri, May 19, 2000 at 02:08:42PM -0400, David Stern wrote:
> We have two nameservers running BIND 8.8.2p. One is inside our network
> and the other is in a DMZ. The one on the outside has been registered
> and I've set up the internal one st zones aren't transferred. Basically,
> anyone on the outside will do queries on the external NS and people
> inside use the internal one.
> 
> 1/ Because the internal one originally was our primary, we set pinholes
>    in a firewall for port 53. Can we remove these now or are they still
>    necessary for people inside querying for domains that we don't have
>    authority on?

The latter.

> 2/ Turning on debugging (kill -WINCH) still show an occasional query 
>    from outside to the internal nameserver. And in fact, I can connect   
>    from outside to the inside NS and ask about a particular host it
>    knows about that the outside/official nameserver doesn't. Can this
>    be stopped?

You should be able to block it in one direction.

I would check your config to see whether it ever mentions the internal
server, or whether the occasional back-search is due to someone doing
what you just did - testing to see if it were possible.  In the former
case, you should fix your configuration.  Is it also possible that some
other server [.com?] knows about your internal server?

OBTW, in some circles things that allow any IP through aren't called
"firewalls".  They're called "routers".  ;-]

-- 
Joe Yao				jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support					EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.



More information about the bind-users mailing list