two nameservers
Joseph S D Yao
jsdy at cospo.osis.gov
Fri May 19 20:39:37 UTC 2000
On Fri, May 19, 2000 at 02:08:42PM -0400, David Stern wrote:
> We have two nameservers running BIND 8.8.2p. One is inside our network
> and the other is in a DMZ. The one on the outside has been registered
> and I've set up the internal one st zones aren't transferred. Basically,
> anyone on the outside will do queries on the external NS and people
> inside use the internal one.
>
> 1/ Because the internal one originally was our primary, we set pinholes
> in a firewall for port 53. Can we remove these now or are they still
> necessary for people inside querying for domains that we don't have
> authority on?
The latter.
> 2/ Turning on debugging (kill -WINCH) still show an occasional query
> from outside to the internal nameserver. And in fact, I can connect
> from outside to the inside NS and ask about a particular host it
> knows about that the outside/official nameserver doesn't. Can this
> be stopped?
You should be able to block it in one direction.
I would check your config to see whether it ever mentions the internal
server, or whether the occasional back-search is due to someone doing
what you just did - testing to see if it were possible. In the former
case, you should fix your configuration. Is it also possible that some
other server [.com?] knows about your internal server?
OBTW, in some circles things that allow any IP through aren't called
"firewalls". They're called "routers". ;-]
--
Joe Yao jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.
More information about the bind-users
mailing list