BIND 9.2.1 - experiments on stubs and listen-to

Mark_Andrews at isc.org Mark_Andrews at isc.org
Thu Dec 12 03:44:22 UTC 2002 

> 
> I have been trying to run some experiments to see how BIND 9.2.1 acts,
> for use on firewalls, but I have run out of time to do experiments.  As
> I might have saved time in the first place by asking if anyone has
> actually tried these experiments [rather than looking at the code and
> seeing what it should do], I'd like to ask and see.
> 
> First experiment:  Can a single view run "listen-on"ing only one of
> multiple Ethernet interfaces?

	Yes.

	Use match-destination to select the traffic for the view.
	listen-on must include the interface.
 
> Second experiment:  If I am running an internal "stub" server pointing
> to an internal domain, and the domain name is also served [with
> different information] on the outside, and the internal server goes
> down or is inaccessible for any amount of time, will the cache for the
> firewall 'named' be contaminated by the external DNS?
> 
> Hypothesis:  No hypothesis.  Under the given conditions, either the
> name server will stop returning valid information, or it will be
> contaminated with external information, as used to happen with BIND 4
> under a slightly different configuration.
> 
> Procedure:  THIS ONE I TRIED, with surprising results.  I set up a name
> server (an old SparcStation 5 running Linux and BIND 8.1.2) to serve
> fake zone "tux.org" with internal (RFC 1918) IP addresses.  All the
> times in the SOA were set to 10 seconds except for expire, which was
> set to 20 seconds.  I also gave it the root.cache file, including our
> proxy-only firewall IP address in it.
> I also set up a test name server running BIND 9.2.1.  It had:
> zone "tux.org"  IN      {
> 	type stub;
> 	masters { 198.81.161.69; };
> 	file "stub.tux";
> };
> as well as our usual forwarders [firewall], forward-only, etc.
> 
> Observation:  I got the external addresses.  I changed the zone above
> to "tux.edu" [which does not exist in the outside world], and got no
> replies.  On the test BIND 9.2.1 name server I progressively turned off
> "forward only", and then all the forwarders, and still had this
> problem.  I observed that the data was AXFR'ed over initially, but was
> NOT being requested every 10 seconds or even every 20 seconds.  And the
> fact that the NS and SOA information was brought over and stored in the
> "stub.tux" file did not seem to mean that BIND 9.2.1 could give me any
> information based on this data.

	Well you needed to override the global forwarding.

	zone "tux.org" {
		type stub;
		masters { 198.81.161.69; };
		file "stub.tux";
		forwarders { /* empty */ };
	};
 
> Conclusion:  If stub zones keep from being contaminated, they will be
> cleaner than forwarding to internal name servers (I can't delegate, as
> they have different parent domains).  If not, or if I can't figure out
> how to do stub zones at all, I will keep on forwarding.
> 
> Sorry to make this so long, but I wanted to give you all relevant
> information.  Any thoughts?
> 
> Thanks!
> 
> --
> Joe Yao				jsdy at center.osis.gov - Joseph S. D. Yao
> OSIS Center Systems Support					EMT-B
> -----------------------------------------------------------------------
> 	    PLEASE ... send or Cc: all "OSIS Systems Support"
> 		     mail to sys-adm at center.osis.gov
> -----------------------------------------------------------------------
>    This message is not an official statement of OSIS Center policies.
> 
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org

More information about the bind-users mailing list