Confusion about IP/naming of DNS servers

Kevin Darcy kcd at daimlerchrysler.com
Wed Dec 4 22:29:52 UTC 2002 

anonymous wrote:

>So at the minimum I really need 2 static IPs? Perhaps it doesn't make sense
>to put the DNS server behind the firewall if its still going to talk
>directly to a 'slave' on the outside for this transfer. Would it make sense
>to have 3 IPs - two for DNS and one for the firewall / corp?
>
>In either event - I will have an email server  behind the firewall with a
>non-routable IP. Will my MX address just point to the IP on the firewall in
>the expectation that it will forward all port 25 traffic to the appropriate
>internal machine?
>
>"Kevin Darcy" <kcd at daimlerchrysler.com> wrote in message
>news:aslp8k$4kbs$1 at isrv4.isc.org...
>  
>
>>anonymous wrote:
>>
>>    
>>
>>>Is it possible to manage / admin ones own DNS servers if one only has a
>>>single static IP? IE if one is using MASQ or non-routable IPs behind a
>>>packet filtering machine? I can see where the packet filter might route
>>>      
>>>
>all
>  
>
>>>requests on port 53 to a single (behind the filter) DNS machine but where
>>>would the secondary come into play?
>>>
>>>Ive been reading the various O'Reilly books about DNS/Bind and Firewalls
>>>      
>>>
>and
>  
>
>>>Im quite confused.
>>>
>>>      
>>>
>>You'd need to get some other box, on a static IP outside of your
>>firewall, to be a slave. There shouldn't be any problem with someone
>>else slaving from your master server, since zone transfers use the same
>>ports you're permitting/forwarding anyway (i.e. TCP and UDP port 53).
>>Many places offer so-called "secondary" (i.e. slaving) service; I
>>understand that some of them are free, up to a certain number of domains.
>>
It's really best to get a slave that's on a completely different 
network. That way your domain is still available even if your network 
connection or your ISP's connection is down. Some services care about 
the difference between "cannot resolve host X" versus "cannot connect to 
host X". In your position, I'd look into the free or low-cost 
"secondary" services.  I don't see any particular reason why your master 
nameserver would need to be outside of the firewall. You should be able 
to do zone transfers as well as queries through the firewall.

If you can arrange multiple off-site slaves, your master server wouldn't 
even need to be a delegated nameserver for your domain -- it could be a 
so-called "hidden" master which just replicates the zone to other 
nameservers.

                                                                        
                                    - Kevin

More information about the bind-users mailing list