Running bind on a NAT'd server behind a firewall?
Joseph Watson
jtwatson at datakota.com
Sat Dec 8 08:38:28 UTC 2001
autom8on wrote:
> Hi all,
>
> I'm having a few problems with my DNS set up - I have a firewall connecting
> me to the outside world (so a real internet routable IP) and my DNS server
> sitting in a DMZ (10.0.0.0/8 network). My DNS server is registered
> externally as the external IP address of my firewall - the firewall then
> forwards all UDP 53 requests to my internal 10./8 box. The firewall will
> also allow TCP port 53 through from my backup server - for zone transfer
> purposes.
>
> Oh - it's Bind 9.x
>
> If I just have the normal logging on (severity debug?), I see requests
> coming in for names I've registered - and yet, the client making the request
> sometimes get answers, and sometimes don't.
>
> If I turn the debugging level up to 4 - every so often I see log entries
> like:
>
> Dec 08 03:49:31.215 zone my_fake_zone.org/IN: notify to my_external_ip#53
> failed: timed out
>
> Which, looks like my DNS server is trying to send something to itself
> through the firewall?
>
> The relevant bit (I think) of my named.conf file is:
>
> options { directory "/var/named";
> pid-file "/var/named/named.pid";
> statistics-file "/var/named/named.stats";
> memstatistics-file "/var/named/named.memstats";
> dump-file "/var/adm/named.dump";
> zone-statistics yes;
> // Make zone transfer more efficient by sending multiple
> // DNS records in a single DNS message.
> transfer-format many-answers;
> // Set max zone transfer time to 60 minutes.
> max-transfer-time-in 60;
> allow-transfer { xfer; };
> allow-query { trusted; };
> blackhole { bogon; };
> };
>
> Am I missing some special option to do with IP addresses, or have I somehow
> screwed up in the zone files themselves? (Could it be reading the external
> IP from the zone files and getting stuck in some sort of loop thinking it
> has to chain the request on?)
>
> I've done some searches through google - but haven't really been able to
> come up with anything...
>
> If someone could point me in the right direction, I'd appreciate it...
>
> Steve.
>
>
>
Hello,
I am fighting with a simular problem. I can,t get bind to work behind a NAT
Firewall for anything. I know though that the looping question could
happen. In your zone record, you have to make sure the Master Server name
points to a IP of the phisical server, not the registered name server!!!!
if you have registered NS here it will try to forward the hole zone to your
register name server which is your firewall. And when the request comes
from inside your private network to the external address of your NAT
server, the forwarding rules will not work and a destination unreachble
responce is sent back by your NAT server. :) So you need to have a Master
Server name that resolves to the address of your dns server on your private
network. This will leak some private information if it is not done correct
though!!! I think you can set your search order in host.conf to hosts then
dns, and in the host file have the Master Server resovlve to a private
address and in the DNS have the Master server resolve to the public
address. When I figured this much out. It all appeared to work, but then
I found out that server and clients from the internet could not get answers
back. This is where I still am. It is something to do with port
forwarding, but I found somewhere that bind doesn't use port 53 anymore
for quirey unless you tell it to. It by default uses a unprivalaged port,
so now it lookes like I have to forward all unprivlaged port through to my
dns server. This dosen't sound good at all!!!
If I am wrong with any of this please send me a email, I would like to get
this to work!!!
Thanks much
Joseph
More information about the bind-users
mailing list