sanity check for dns configuration ...

Tue Nov 5 00:17:01 UTC 2002

"Thomas C. Knoeller" wrote:

> Howdy DNS Guru's,
>
> I need to come up with a solution for doing public internet dns in a
> dmz/firewall/intranet setting where I have _very_ little ability to punch
> holes thru the the firewall.
>
> A little background.  The company I work for has been using an 'ip management'
> tool for maintaining their DNS.  This tool uses a bunch of network ports that
> are considered unsafe by the security folks.  So, management of an external
> server is nearly impossible because of the firewall rules.
>
> To work around this limited management of the external server, it has been
> suggested that we run the external server in a forward-only configuration.
> The server would forward to a server in the inside of the firewall.  The
> inside server would run all the services for the ip management tool.
>
> It would look something like this.
>
>         ------------          ------------
>         |external#1|          |external#2|     Forward-only
>         ------------          ------------     (to internal)
>            |                      |
>          -------                -------              |
>              |                       |               |
>         ------------          ------------           |
>         |firewall#1|          |firewall#2|           |
>         ------------          ------------   (upd/53, tcp/53)
>            |                      |                  |
>          -------                -------              |
>              |                       |               |
>         ------------          ------------           |
>         |internal#1|          |internal#2|       internal
>         ------------          ------------           |
>                   \            /                     |
>                    \(intranet)/             (ugly network services)
>                     \        /                       |
>              -----------------------                 |
>              |ip management station|          ip mgmt station
>              -----------------------
>
>
> We think that the only thing that we need to change to make it work is the ip
> address of soa and ns records in the zone files.  They need to change from the
> internal hosts ip address to the external hosts ip address.
>
> Can anyone point out any other things we should be aware of as we test the
> above implementation?
>
> One of the things that we are worried about is the 'authoritative' nature of
> the returned data.  Let me explain.  The external box is the authoritative
> nameserver for our TLD.  But, if the external box is in forward-only mode,
> I assume that the authoritative bit in the dns packet will not be set when it
> returns a query.  Since the answer from the server claims not to be
> authoritative, would the server be considered lame?
>
> TIA for any thoughts and/or insights you can share.

No, this isn't going to work at all. Other servers on the Internet are going to
send you *non-recursive* queries. BIND cannot be configured to forward
non-recursive queries. Furthermore, as you are already realizing, when the
external servers answer from their cache (BIND cannot be configured to not cache
either), their responses will have the AA (Authoritative Answer) bit unset, and
this will cause lameness issues.

Why don't you just make the external nameservers slaves of the internal ones?
This shouldn't require any more ports/protocols to be opened.

- Kevin