Accessing internal zones over a VPN

Kevin Darcy kcd at daimlerchrysler.com
Mon Mar 22 17:05:12 UTC 2004


Anthony Chavez wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On Mon, 01 Mar 2004 19:24:09 -0500 Kevin Darcy <kcd at daimlerchrysler.com> wrote:
>  
>
>>Well, it's not going to be pretty however you implement it. What comes 
>>to my mind is to set up the zones of interest as "stub" zones on a 
>>separate nameserver, nameserver instance (running on a different 
>>interface of the same box, using "listen-on") or (if you're willing to 
>>upgrade to BIND 9) a separate "view", which serves only the 
>>client-subset you care about. These "stub" zones would pull their NS/SOA 
>>data from DNS2, and everything else in that nameserver (or nameserver 
>>instance, or "view", depending on how you set it up) would forward to 
>>the regular FW1 nameserver (or nameserver instance or "view") for normal 
>>resolution.
>>    
>>
>
>I have still yet to implement this, but something occurred to me when I
>was thinking about it the other day.
>
>If I were to do this, wouldn't that mean that my internal zone would be
>transferred over the Internet, making it entirely possible that a
>malicious user armed with a packet sniffer could view it?
>
Well, you had "VPN" between FW3 and FW4 in your original drawing. That 
was the assumption I was going on...

>A quick glance over the ARM has given me the impression that TSIG, TKEY,
>SIG(0) and DNSSEC will enable me to do this securely.  Is this
>correct?  And is there anything that I should know beforehand before
>attempting to enable these features?
>
BIND offers no way to do encrypted zone transfers, although you don't 
have to use BIND's built-in transfer mechanisms to keep two or more 
authoritative nameservers in sync: you could define the zone on the 
"slave" as "type master" use something like scp (or rsync over ssh) to 
do the transfer in a secure fashion, and follow up the scp with an "rndc 
reload <zone>" (assuming you're running BIND 9) in order to force a 
reload of the zone every time it changes.

As for encrypting queries, I don't know any way to do that. I think you 
pretty much need an encrypted tunnel for protecting queries, as I 
assumed above...

-Kevin




More information about the bind-users mailing list