help required

Tue Aug 21 11:05:50 UTC 2001

Bharat,
If you must talk to one nameserver through the firewall , then that
nameserver must perform recursion if requested.  The majority of
ISP's DNS will recurse since typical dial-up and small clients do not run
DNS themselves.  If your ISP really won't perform recursion and you really
need this, then either change ISP for one that will, or adopt an
architecture with another nameserver on the DMZ as Peter suggests, or
modify your security policy.  If on the other hand you are trying to get
recursion (without authorisation) from a DNS server other than your ISPs
then you will not get much sympathy around here.
In order to get recursion you need to be requesting with RD bit set.  DNS
clients and nameservers using forwarders set the RD bit.  I assume that
you're using forwarders, rather than tampering with your root data.
Marc TXK

                    pelln at icke-reklam.ipsec.                                                                                
                    nu.invalid                      To:     comp-protocols-dns-bind at moderators.isc.org                      
                    Sent by:                        cc:                                                                     
                    bind-users-bounce at isc.or        Subject:     Re: help required                                          
                    g                                                                                                       

                    20/09/2001 09:50                                                                                        

Bharat Rawat Binwal <bharatrawat_bit at rediffmail.com> wrote:

> Hello all,

> There is some security problem with my network.So i do have a solution fo
=
> r it .Just want to confirm is my solution is possible.
> The situation goes like this.

> I'm running squid as proxy and have bind8.2.4 as my nameserver
> s/w.

> 1)As my security policy ,in my firewall i allow the UDP queries to go to
=
> some specified nameserver only(Lets say my ISP nameserver).This works fin
=
> e if the ISP nameserver do have the IP for query.The problem creep up whe
=
> n ISP nameserver returns some referrals to me and my bind(nameserver) try
=
>  to connect that nameserver as not allowed in firewall.
> So can i pose my nameserver as a client to ISP nameserver and somehow can
=
>  ensure the ISP nameserver work recursively for my nameserver??

Using your ISP to forward to and the ISP does not allow recursive
queries won't work.

Normally i use a nameserver(s) located on DMZ or outside the fw and have
inside bind's forward-only to that nameserver(s). Applied to
your schenario you should allow your bind ask questions all over Internet.
That may implicate that your nameserver should be located outside
your other hosts.

You also must allow tcp questions.

A number of lins exists at :
"http://www.sans.org/infosecFAQ/DNS/DNS_list.htm"
also the book "Managing DNS & BIND" has a chapter on the issue:
"http://www.oreilly.com/catalog/dns4/chapter/ch11.html"

> Any help on above metioned ques orAny other solution suiting to presented
=
>  scenraio will be appreciated.

> Bharat

>  =

--
Peter Håkanson
        IPSec  Sverige      (At the Riverside of Gothenburg, home of Volvo)
           Sorry about my e-mail address, but i'm trying to keep spam out.
              Remove "icke-reklam"and "invalid"  and it works.