Why not "allow-query" in a forward zone?
Jesper Dybdal
jdunet at u3.dybdal.dk
Thu Mar 9 12:10:36 UTC 2000
Tilman Schmidt <Tilman.Schmidt at sema.de> wrote:
>At 17:10 08.03.00 +0100, Jesper Dybdal wrote:
>>For the sake of log files and troubleshooting, I would like the
>>firewall itself to be able to look up names and IP addresses in
>>the internal networks.
>>
>>This can be done by defining suitable "forward" zones that refer
>>to the internal nameservers.
>
>That's not the way to do it. Instead, set up /etc/resolv.conf on
>the firewall machine to use the internal nameserver instead of
>the one running on the firewall machine itself. See the recent
>thread "Public / Private zones - assistance please" in this
>newsgroup.
The situation is complicated by the fact that there are two separate internal
networks involved. If I put one of the internal nameservers first in
resolv.conf, and the firewall needs to look up a name in the other internal
network, the first internal nameserver will forward the query to the firewall
itself, and it will eventually reply back that there is no such domain. It
will then not try other servers mentioned in resolv.conf.
--
Jesper Dybdal, Denmark.
http://www.dybdal.dk (in Danish).
More information about the bind-users
mailing list