question about allow-notify
G.W. Haywood
bind at jubileegroup.co.uk
Thu Jul 17 17:18:05 UTC 2008
Hi there,
On Thu, 17 Jul 2008, aklist wrote:
> Pretty basic question...
And not really one for the bind list, I think. :)
> ...master NS on a public IP ... slave NS (Bind 9.5.0-P1) behind a
> NAT'd router (192.168.1/24). The master is sending notifies ... but
> the slave is refusing the notifies because they're coming from the
> router's gateway IP (192.168.1.1) and not the IP of the primary NS.
> ...
> If I add the gateway IP to the allow-notify statement on the slave
> ... is there any risk ...
Maybe. If your router is really doing what you say, the setup seems a
little bit strange. NAT doesn't usually work in the way you describe.
The idea is for the people on the OUTSIDE not to be able to see the IPs
INSIDE, not the other way around. Suppose you have a webserver behind
a NAT firewall/router. You look in the logs to see who's been in touch
with your server. Do you want all the IP addresses in the log to be
192.168.1.1? I don't think so.
> ... is there a better way to handle it?
Yes. If your router allows it, forward the traffic from your master
to the slave so that it sees the master IP and not something from your
router. If the router can't do what I suggest, then get another one.
You could use an old PC with a Linux firewall distro. There are quite
a few to choose from, I use IPCop and Smoothwall. They are both rock-
solid and offer a number of advantages over a simple NAT router. They
can consume more power if you aren't careful so you might want to think
about using one of the diskless devices that are available.
--
73,
Ged.
More information about the bind-users
mailing list