help required
Terrence Koeman
root at mediamonks.net
Fri Sep 21 11:17:29 UTC 2001
You can use:
ns1.mediamonks.net (213.91.140.10)
ns2.mediamonks.net (213.19.140.11)
these are public resolvers (recursive) on gigabit ethernet.
--
Regards,
Terrence Koeman
Technical Director/Administrator
MediaMonks B.V. (www.mediamonks.nl)
Please quote all replies in correspondence.
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org]On
> Behalf Of Marc.Thach at radianz.com
> Sent: Tuesday, August 21, 2001 1:06 PM
> To: bind-users at isc.org
> Cc: Bharat Rawat Binwal
> Subject: Re: help required
>
>
>
>
> Bharat,
> If you must talk to one nameserver through the firewall , then that
> nameserver must perform recursion if requested. The majority of
> ISP's DNS will recurse since typical dial-up and small clients do not run
> DNS themselves. If your ISP really won't perform recursion and you really
> need this, then either change ISP for one that will, or adopt an
> architecture with another nameserver on the DMZ as Peter suggests, or
> modify your security policy. If on the other hand you are trying to get
> recursion (without authorisation) from a DNS server other than your ISPs
> then you will not get much sympathy around here.
> In order to get recursion you need to be requesting with RD bit set. DNS
> clients and nameservers using forwarders set the RD bit. I assume that
> you're using forwarders, rather than tampering with your root data.
> Marc TXK
>
>
>
>
>
>
> pelln at icke-reklam.ipsec.
>
> nu.invalid To:
> comp-protocols-dns-bind at moderators.isc.org
> Sent by: cc:
>
> bind-users-bounce at isc.or Subject:
> Re: help required
> g
>
>
>
>
>
> 20/09/2001 09:50
>
>
>
>
>
>
>
>
>
>
> Bharat Rawat Binwal <bharatrawat_bit at rediffmail.com> wrote:
>
> > Hello all,
>
> > There is some security problem with my network.So i do have a
> solution fo
> =
> > r it .Just want to confirm is my solution is possible.
> > The situation goes like this.
>
> > I'm running squid as proxy and have bind8.2.4 as my nameserver
> > s/w.
>
> > 1)As my security policy ,in my firewall i allow the UDP queries to go to
> =
> > some specified nameserver only(Lets say my ISP nameserver).This
> works fin
> =
> > e if the ISP nameserver do have the IP for query.The problem
> creep up whe
> =
> > n ISP nameserver returns some referrals to me and my
> bind(nameserver) try
> =
> > to connect that nameserver as not allowed in firewall.
> > So can i pose my nameserver as a client to ISP nameserver and
> somehow can
> =
> > ensure the ISP nameserver work recursively for my nameserver??
>
> Using your ISP to forward to and the ISP does not allow recursive
> queries won't work.
>
> Normally i use a nameserver(s) located on DMZ or outside the fw and have
> inside bind's forward-only to that nameserver(s). Applied to
> your schenario you should allow your bind ask questions all over Internet.
> That may implicate that your nameserver should be located outside
> your other hosts.
>
> You also must allow tcp questions.
>
> A number of lins exists at :
> "http://www.sans.org/infosecFAQ/DNS/DNS_list.htm"
> also the book "Managing DNS & BIND" has a chapter on the issue:
> "http://www.oreilly.com/catalog/dns4/chapter/ch11.html"
>
>
> > Any help on above metioned ques orAny other solution suiting to
> presented
> =
> > scenraio will be appreciated.
>
> > Bharat
>
> > =
>
>
>
>
>
>
>
> --
> Peter Håkanson
> IPSec Sverige (At the Riverside of Gothenburg, home
> of Volvo)
> Sorry about my e-mail address, but i'm trying to keep spam out.
> Remove "icke-reklam"and "invalid" and it works.
>
>
>
>
>
>
>
-- Binary/unsupported file stripped by Listar --
-- Type: application/x-pkcs7-signature
-- File: smime.p7s
More information about the bind-users
mailing list