Public queries to private IP DNS. Possible?

Kevin Darcy kcd at daimlerchrysler.com
Fri Mar 16 22:58:19 UTC 2001 

Hmmm... I don't get the bit about the slave server "notic[ing] that
there is already [] a primary server for [y]our domain name, tell[ing
you[ that the primary on the inside is not authoritative, [and therefore
not] replicat[ing]". BIND slaves are configured with IP addresses
specifying their master(s), and if they replicate the zone properly,
consider themselves authoritative for the zone, and therefore shouldn't
really care what any other server happens to think about who is or is
not authoritative for it. The only place where authoritativeness comes
into play is that named-xfer wants the answers from the master for its
SOA serial-number queries to be authoritative, i.e. for the AA bit to be
set in the responses. If that bit is not set in the SOA responses, then
the zone transfers will fail. Is that what's happening to you? That's
strictly a matter of how the (real) master responds. Maybe you have a
syntax error in the master zone file that's causing the master to not
load the zone properly and therefore answer non-authoritatively...


- Kevin

Kalle Helenius wrote:

> Hi everybody. Not absolutely sure this is the right place for this,
> but if it isn't, please redirect me to the right forum.
>
> A problem. We have an extensive VPN network between daughter
> companies, some using private IP schemes and others public schemes.
> The problem is that we don't know how to tell the nameservers in
> places with public IP's to come look for the private IP's on our
> inside. (We have an internal primary server for the internal IP's,
> and an outside primary server for the public IP's with a firewall
> doing NAT in between). The problem comes when we try to put a
> secondary server in a place with public IP's, that server notices
> that there already is a primary server for our domain name, and
> tells us that the primary on the inside is not authoritative, so no
> replication.
>
> Can we put in a line into the named.cache file telling it that the
> primary zone server for this one domain is actually the primary
> nameserver on the inside? That would effectively deny them our
> public IP's, but thats acceptable because of the VPN.
>
> Any suggestions will be appreciated greatly!

More information about the bind-users mailing list