two nameservers

[Barry Margolin]

In article <3925832A.4588 at tsi-telsys.com>,
David Stern  <dstern at tsi-telsys.com> wrote:
>We have two nameservers running BIND 8.8.2p. One is inside our network
>and the other is in a DMZ. The one on the outside has been registered
>and I've set up the internal one st zones aren't transferred. Basically,
>anyone on the outside will do queries on the external NS and people
>inside use the internal one.
>
>1/ Because the internal one originally was our primary, we set pinholes
>   in a firewall for port 53. Can we remove these now or are they still
>   necessary for people inside querying for domains that we don't have
>   authority on?

You can remove these.  BIND 8 uses a random high port when it sends
outbound queries, so you'll need to allow these back in.  If you need to
configure the firewall so it only allows certain ports in, pick some other
port and specify it in the "query-source" option in named.conf.  Or you
could configure the internal server to use the external server in the
"forwarders" option, and only allow UDP between those two machines.

>2/ Turning on debugging (kill -WINCH) still show an occasional query 
>   from outside to the internal nameserver. And in fact, I can connect   
>   from outside to the inside NS and ask about a particular host it
>   knows about that the outside/official nameserver doesn't. Can this
>   be stopped?

That's because of the port 53 hole you have in your firewall.  You can use
the "allow-query" option in named.conf to restrict who can query the
server.  But if you do what I suggested above, you should be OK.

P.S. Why did you post this as a reply to the "8.2.3 Stability" question?
Please don't use your newsreader's "Reply" command when you're starting a
new discussion.

-- 
Barry Margolin, barmar at genuity.net
Genuity, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.