sanity check for dns configuration ...

Thomas C. Knoeller tck at pretend.net
Mon Nov 4 21:50:28 UTC 2002 

Howdy DNS Guru's,

I need to come up with a solution for doing public internet dns in a
dmz/firewall/intranet setting where I have _very_ little ability to punch
holes thru the the firewall.

A little background.  The company I work for has been using an 'ip management'
tool for maintaining their DNS.  This tool uses a bunch of network ports that
are considered unsafe by the security folks.  So, management of an external
server is nearly impossible because of the firewall rules.  

To work around this limited management of the external server, it has been
suggested that we run the external server in a forward-only configuration.
The server would forward to a server in the inside of the firewall.  The
inside server would run all the services for the ip management tool.  

It would look something like this.

        ------------          ------------ 
        |external#1|          |external#2|     Forward-only
        ------------          ------------     (to internal) 
           |                      |
         -------                -------              |
             |                       |               |
        ------------          ------------           |
        |firewall#1|          |firewall#2|           |
        ------------          ------------   (upd/53, tcp/53)
           |                      |                  |
         -------                -------              |
             |                       |               |
        ------------          ------------           |
        |internal#1|          |internal#2|       internal     
        ------------          ------------           |
                  \            /                     |
                   \(intranet)/             (ugly network services) 
                    \        /                       |
             -----------------------                 |
             |ip management station|          ip mgmt station
             -----------------------      
    

We think that the only thing that we need to change to make it work is the ip
address of soa and ns records in the zone files.  They need to change from the
internal hosts ip address to the external hosts ip address.

Can anyone point out any other things we should be aware of as we test the
above implementation?

One of the things that we are worried about is the 'authoritative' nature of
the returned data.  Let me explain.  The external box is the authoritative
nameserver for our TLD.  But, if the external box is in forward-only mode,
I assume that the authoritative bit in the dns packet will not be set when it
returns a query.  Since the answer from the server claims not to be
authoritative, would the server be considered lame?

TIA for any thoughts and/or insights you can share.

-Tom

More information about the bind-users mailing list