BIND 8.2.2 p7 Question (KESTREL)
Joseph S D Yao
jsdy at cospo.osis.gov
Wed Dec 6 18:55:48 UTC 2000
On Wed, Dec 06, 2000 at 12:06:28AM -0600, kestrel wrote:
> Dear All,
>
> I am:
>
> Linux Kernel 2.2.16-22
> Bind 8.2.2_P7
>
> Question:
>
> My configuration is a Split DNS type. One DNS sits on a Firewall providing
> name resolution to clients in the foreign network, while another DNS sits
> inside the "clean area" providing name resolution to internal clients.
>
> Both DNS's are configured as authoritative for the same zone (zone.org).
>
> The "internal" DNS has named.conf configured to use the other DNS (on the
> firewall) as a forwarding DNS.
>
> The Firewall is configured to DENY all packets trying to leave the clean
> segment to go to any IP address, except to the clean side of the firewall.
> In other words, the DNS on the firewall is supposed to provide answers back
> to the "clean" DNS for name lookups for clients outside of this domain.
>
> QUESTIONS
>
> 1) When I remove the root file listing all of the root DNS servers for the
> internet from the "clean" DNS, shutdown and restart the "clean" DNS, I
> perform a TCPDUMP, and still see the "clean" DNS attempting to contact the
> root DNS's. Even though I removed the root name server configuration file,
> the BIND still is referencing those addresses - and AFTER I rebooted the
> machine! The Firewall intercepts these "leaking packets" and REFUSEs them.
> Why is the "clean" DNS still referencing these addresses?
Because (a) 'named' always starts by getting a clean copy of the list
of root name servers form the Internet, in case they were updated while
you (the generic you) weren't looking, and (b) you did not configure
the "clean" name server to be "forward only", forwarded to the
firewall.
> 2) Immediately after restart of all machines in the environment (firewall,
> clean DNS, etc), if I perform a ping of any arbitrary address (ie:
> www.cnn.com) from any machine - including the "clean" DNS, the initial
> attempt to resolve that hostname will fail with a timeout error at the host
> performing the PING. The clients, firewall, and the "clean" DNS are ALL
> configured to point at the "clean" DNS to resolve hostnames. Is this
> problem related to a timeout value, or did I misconfigure one of the DNS
> servers? Also, NEITHER DNS server is configured to be a cacheing name
> server. Subsequent attempts to PING that same hostname always work fine -
> its just the initial attempt that times-out. Why?
Probably same thing. Not being forward-only, the server tries to get
its information from an external root server or other name server.
This can take an awfully long time if the IP connection is blocked.
;-)
--
Joe Yao jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.
More information about the bind-users
mailing list