more clarification needed on TSIG please
J.D. Bronson
jbronson at wixb.com
Tue Jun 29 13:49:02 UTC 2004
At 08:31 AM 06/29/2004, you wrote:
> CISCO, in their infinite wisdom, decided to have their NAT
> alter the DNS message content when the transport was UDP and
> not alter it when it was TCP.
>
> TSIG works by generating a cryptographically secure hash of
> the DNS message. Altering the contents of the DNS message
> (with the exception of the message id) will cause the TSIG
> to fail.
>
> You should be able to verify whether 'no-payload' works or
> not by capturing the packet refresh packet both sides of
> the firewall and seeing if the DNS message in it has been
> modified.
>
> If the DNS messages are identical 'no-payload' is working.
> By identical I mean evey bit with the exception of the
> message id.
>
> Mark
First off...THANK YOU for at least pointing this out. I did find out a few
years ago that I had to add 'no-payload' to the NAT mappings or direct
queries against my machine ended up give out INTERNAL view IPs rather than
EXTERNAL view IPs. That was most amusing to troubleshoot.
Here is what I currently have:
ip nat inside source static 10.10.10.171 64.91.71.171 no-payload
ip nat inside source static 10.10.10.172 64.91.71.172 no-payload
(IPs are scrambled of course)
that fixed my 1st issue, but not my TSIG issue. I still feel that TSIG is
being blocked by the firewall (or CBAC within the cisco).
I see the TSIG notify from WAN to my LAN, but then the transfer always fails.
Nothing is in the cisco log at all. But if I do a dig (like above) to
transfer the zone (on the same machines involved) it works fine. I only
allow transfers with TSIG KEYS...not even by IPs.
So...my next approach is a port thing. Is there anyways around
this..perhaps a port or change from UDP to TCP for example?
My last approach will be to toss the cisco on ebay and buy a different
router that does not mess with payload or have these issues.
--
J.D. Bronson
Aurora Health Care // Information Services // Milwaukee, WI USA
Office: 414.978.8282 // Email: jd at aurora.org // Pager: 414.314.8282
More information about the bind-users
mailing list