MNAME in External Zone Files
Merton Campbell Crockett
m.c.crockett at adelphia.net
Wed Mar 22 03:30:42 UTC 2006
At work, a split-DNS is used. I have three name servers defined in
the roots that will answer DNS queries originating from the
Internet. Two of the name servers are in network enclaves behind a
Sidewinder G2 firewall. The Sidewinder G2 has a DNS proxy that
forwards DNS requests originating from the Internet to the name
server in the network enclave.
It appears that a bug in the DNS proxy that was fixed in an earlier
version of the Sidewinder G2 has been re-introduced. The Sidewinder
G2 will stop accepting DNS requests sent using UDP. On one of the
name servers, the trigger event for this denial of service was
identified as remote systems attempting dynamic DNS updates using a
list of valid, internal system names. All of the system names belong
to Windows-based systems.
Windows systems that have been configured to be in an Active
Directory domain will, at boot, attempt to register their current IP
address. If none of the cached Active Directory domain controllers
can be reached, they query for the domain's SOA record and attempt to
perform dynamic DNS updates to the MNAME system.
Since the mid-eighties, I've always set MNAME to the name assigned to
the primary master name server for the domain. I am curious what
others use for MNAME in a split-DNS environment.
Due to the problems encountered with the Sidewinder G2, I am
contemplating replacing MNAME with the domain name of the internal
primary master name server. This would side-step the denial of
service problem as there is no policies that allow forwarding of DNS
queries to the internal system and all DNS requests to the system
will be discarded.
Are there any "gotchas" in this approach?
Merton Campbell Crockett
m.c.crockett at adelphia.net
More information about the bind-users
mailing list