Running bind behind Raptor Firewall

Kevin Darcy kcd at daimlerchrysler.com
Tue Aug 1 22:19:44 UTC 2000 

The root NS information is bogus, obviously. Moreover, the firewall is answering
it non-authoritatively, which implies that it originates from either: a) a
root-zone master file which didn't load properly, or b) a bogus hints file. How
can the firewall be resolving Internet names when its root NS data is hosed? The
only way I think this could work is by defining "stub" zones for all of the
TLD's, e.g. "com", "org", "net", the country-code domains, etc. But this is
really ugly.

Talk to the administrator of the firewall and let them know what effects their
unusual DNS configuration is having on internal servers which rely on it.


- Kevin

Leonardo Rodrigues wrote:

> At 21:30 01/08/00 +0100, Jim Reid wrote:
> > >>>>> "Leonardo" =3D=3D Leonardo Rodrigues <coelho at persogo.com.br> writes:
> >
> >     Leonardo>   People, I need some hints on running BIND behind a
> >     Leonardo> Raptor Firewall. I tried all kind of configurations,
> >     Leonardo> and the only one that worked was using the firewall
> >     Leonardo> as a forwarder. Altough it worked, I do not stop getting
> >     Leonardo> these kind of errors on system log.
> >
> >     Leonardo> Aug 1 16:36:29 zeus named[330]: sysquery: no addrs found=20
> > for root NS (firewall.mycompany.com)
> >
> >Well it looks like your name server knows nothing about the root name
> >servers (=3D> the root zone =3D> the internet name space) or it's
> >forwarding queries to a name server on your firewall that doesn't know
> >anything about the root zone.
>
>          Yes, it SEEMS to be this, but even with this error, named *is=20
> resolving names correctly*, as follows:
>
> [root at zeus /root]# host www.isc.org
> www.isc.org is a nickname for isc.org
> isc.org has address 204.152.184.101
>
>          Let=B4s take a look on the root servers list. On the named machine,=
> =20
> I=B4m loading the normal root servers, and using a forwarder option on=20
> named.conf. I get:
>
> [root at zeus /root]# dig . ns
>
> ; <<>> DiG 8.2 <<>> . ns
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUERY SECTION:
> ;;      ., type =3D NS, class =3D IN
>
> ;; ANSWER SECTION:
> .                       17h29m26s IN NS  firewall.mycompany.com.
>
> ;; Total query time: 5 msec
> ;; FROM: zeus to SERVER: default -- 10.32.8.117
> ;; WHEN: Tue Aug  1 17:39:03 2000
> ;; MSG SIZE  sent: 17  rcvd: 57
>
>          And now, let=B4s ask the firewall his root servers list:
>
> [root at zeus /root]# dig . ns @firewall
>
> ; <<>> DiG 8.2 <<>> . ns @firewall
> ; (1 server found)
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> ;; QUERY SECTION:
> ;;      ., type =3D NS, class =3D IN
>
> ;; ANSWER SECTION:
> .                       1D IN NS        firewall.mycompany.com.
>
> ;; ADDITIONAL SECTION:
> firewall.ctbctelecom.net.br.  1H IN A  10.32.8.106
>
> ;; Total query time: 1 msec
> ;; FROM: zeus to SERVER: firewall  10.32.8.106
> ;; WHEN: Tue Aug  1 17:39:12 2000
> ;; MSG SIZE  sent: 17  rcvd: 74
>
>          It=B4s really strange. Firewall, that is my root server, is telling=
> =20
> he is his own root server ?!?! Is this possible ? Is this a misconfiguration=
>  ?
>
>          Hope hearing from you soon,
>          Leonardo Rodrigues

More information about the bind-users mailing list