Confusion about IP/naming of DNS servers
kcd at daimlerchrysler.com
Wed Dec 4 22:29:52 UTC 2002
>So at the minimum I really need 2 static IPs? Perhaps it doesn't make sense
>to put the DNS server behind the firewall if its still going to talk
>directly to a 'slave' on the outside for this transfer. Would it make sense
>to have 3 IPs - two for DNS and one for the firewall / corp?
>In either event - I will have an email server behind the firewall with a
>non-routable IP. Will my MX address just point to the IP on the firewall in
>the expectation that it will forward all port 25 traffic to the appropriate
>"Kevin Darcy" <kcd at daimlerchrysler.com> wrote in message
>news:aslp8k$4kbs$1 at isrv4.isc.org...
>>>Is it possible to manage / admin ones own DNS servers if one only has a
>>>single static IP? IE if one is using MASQ or non-routable IPs behind a
>>>packet filtering machine? I can see where the packet filter might route
>>>requests on port 53 to a single (behind the filter) DNS machine but where
>>>would the secondary come into play?
>>>Ive been reading the various O'Reilly books about DNS/Bind and Firewalls
>>>Im quite confused.
>>You'd need to get some other box, on a static IP outside of your
>>firewall, to be a slave. There shouldn't be any problem with someone
>>else slaving from your master server, since zone transfers use the same
>>ports you're permitting/forwarding anyway (i.e. TCP and UDP port 53).
>>Many places offer so-called "secondary" (i.e. slaving) service; I
>>understand that some of them are free, up to a certain number of domains.
It's really best to get a slave that's on a completely different
network. That way your domain is still available even if your network
connection or your ISP's connection is down. Some services care about
the difference between "cannot resolve host X" versus "cannot connect to
host X". In your position, I'd look into the free or low-cost
"secondary" services. I don't see any particular reason why your master
nameserver would need to be outside of the firewall. You should be able
to do zone transfers as well as queries through the firewall.
If you can arrange multiple off-site slaves, your master server wouldn't
even need to be a delegated nameserver for your domain -- it could be a
so-called "hidden" master which just replicates the zone to other
More information about the bind-users