Bind, firewall & forward

=?us-ascii?Q?St=E9phane?= Barraud stephane.barraud at pep-esp.fr
Wed Jun 2 16:25:51 UTC 1999 

 Hello,

 Thank you to your interest in my problem.

> Is 1.10.10.5 the bastion host or the internal server?  The "query-
> source" in the internal server's configuration says to use that as the
> internal server's address when querying.  [At least, this is how I
> interpreted the documentation - I don't use this with my firewalls.]
> But the "forwarders" command says to send all queries to that [remote?]
> host.
> 
> So, which is it?  And, since you're forwarding to the bastion host, do
> you really need the "query-source"?  [Probably not.]
> 
> Incidentally, it's not a good idea to use network 1.*.*.* - it may be
> "reserved" today, but it may be used tomorrow.  Use network 10.*.*.*,
> or one of the other RFC 1918 "private internet" networks.
> 
   Ok, these adresses are dummy ( 192.168.300 cannot be a real address ;-)
   And it's not clear because i've made the mistake of choosing 2 internal
network addresses
   
   The DMZ has an official class C address ( which is 194.199.148).
   The internal network has a non routable class C address ( 192.168.200 )

> Both hosts declare that they are the master, authoritative source for
> the "pep-esp.fr" domain.  Thus, they will never query each other.  I
> take it that this is to separate the external DNS from the internal DNS.
> The external name server is the bastion host.  The internal name server
> is the internal server, and the resolv.conf on the bastion host points
> to that one.  Correct?
> 

  Yes, this is exactly what i'm trying to do. It seems to me that it is what
specialists call a "split DNS", is'nt it ?

  After more trying, i 've found that :
    - the DNS on the bastion has to know all hosts on the DMZ.
    - the DNS on the internal server has to know all hosts on the internal
network plus all hosts on the DMZ, so that it can answer to requests concerning
the DMZ to internal hosts.
    - I think (accrodingly to the Bind doc) the "forward = only" and
"forwarders" directives mean that the internal server must query the bastion
DNS to resolve external queries (ie concerning every domain but pep-esp.fr).
Fortunnately this is working.

  The problem comes when i try to apply filters on the router, to avoid
unauthorized traffic between internal and DMZ networks. In this case, the 2 DNS
need to talk on the 53 port (because of the filters). And i don't really
understand the use of the query-source. Does the "query-source" directive on a
DNS concern outgoing queries or incoming queries ?

 
Thank again for your help

steph.
 
On 02-Jun-99 Joseph S D Yao wrote:
>> I'm trying to configure a firewall.
>> I'm using Bind 8.1.2-5 which comes with linux Redhat 5.2.
>> the network looks like this :
>>     bastion -----------  router ------------- internal server
>>             net 1.10.10         net 192.168.300
>>              (DMZ)
>> the bastion host is connected to internet via another router.
>> 
>> I've configured bind on the bastion host (IP 1.10.10.5) with the following
>> named.conf :
>> options { directory "/var/named"; };
>> zone "pep-esp.fr" { type master; file "named.db"; };
>> zone "10.10.1.in-addr.arpa" { type master; file "named.rev"; };
>> zone "." { type hint; file "named.ca"; };
>> zone "0.0.127.in-addr.arpa" { type master; file "named.local"; };
>> 
>> I've configured bind on the internal server (IP 192.168.300.15) with the
>> following named.conf :
>> options {
>>         directory "/var/named";
>>         query-source address 1.10.10.5 port 53;
>>         forward only;
>>         forwarders { 1.10.10.5; };
>> };
>> zone "pep-esp.fr" { type master; file "named.db"; };
>> zone "300.168.192.in-addr.arpa" { type master; file "named.rev"; };
>> zone "0.0.127.in-addr.arpa" { type master; file "named.local"; };
>> zone "." { type hint; file "named.ca"; };
>> 
>> This internal server was previously working correctly without the forward
>> option.
>> What i intend to do, is to have the internal server answering to internal
>> hosts
>> and forwarding requests concerning outside hosts to the firewall bind
>> server, making only the bastion apparent to internet.
>> Unfortunatally, this does not work.
>> The 2 servers ping each other,
>> configuring the resolv.conf of the bastion makes external resolution working
>> (ie the bastion bind server is ok),
>> the internal server responds correctly to internal
>> queries (ie to resolv addresses in 192.168.300 network),
>> BUT the internal server does not respond to requests for external hosts.
> 
> Is 1.10.10.5 the bastion host or the internal server?  The "query-
> source" in the internal server's configuration says to use that as the
> internal server's address when querying.  [At least, this is how I
> interpreted the documentation - I don't use this with my firewalls.]
> But the "forwarders" command says to send all queries to that [remote?]
> host.
> 
> So, which is it?  And, since you're forwarding to the bastion host, do
> you really need the "query-source"?  [Probably not.]
> 
> Incidentally, it's not a good idea to use network 1.*.*.* - it may be
> "reserved" today, but it may be used tomorrow.  Use network 10.*.*.*,
> or one of the other RFC 1918 "private internet" networks.
> 
> Both hosts declare that they are the master, authoritative source for
> the "pep-esp.fr" domain.  Thus, they will never query each other.  I
> take it that this is to separate the external DNS from the internal DNS.
> The external name server is the bastion host.  The internal name server
> is the internal server, and the resolv.conf on the bastion host points
> to that one.  Correct?
> 
=========================================
Stephane.Barraud at pep-esp.fr

Pole Europeen de Plasturgie
Ecole Superieure de Plasturgie

2 Rue Pierre et Marie Curie
01100 BELLIGNAT FRANCE
=========================================

More information about the bind-users mailing list