Redhat 6 Bind/Wink 2k IIS DHCP
Simon Waters
Simon at wretched.demon.co.uk
Tue Nov 4 00:54:28 UTC 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Barry Margolin wrote:
>
> And some do both. I think PIX performs translation in ordinary queries,
> but not in zone transfers. This gets pretty confusing; I've noticed
> private addresses in the zone files on our slave servers, but when I
> manually query the customer's master I see public addresses.
I always thought the CISCO DNS ALG was designed for glueing together 2
networks with overlapping IP address ranges.
Here the mangling of DNS packets, and the updating of NAT/PAT tables,
means the networks can interoperate despite overapping IP address schemes.
In such circumstances rewriting zone transfers is inappropriate, as
otherwise you might as well just define static mappings from one address
space to the other.
This is certainly the only circumstance in which I have ever proposed
using it, and the client (I think wisely) went with one of the other
suggested configurations. Actually the client had multiple large
networks, several of which were using overlapping chunks of 10/8, and
wanted an Intranet design plan that could be given to the relevant
divisions.
I didn't think it was THAT confusing, all you have to do is ensure the
networks involved present a consistent view to a central backbone,
beyond that any problems are diagnosed from the backbone network, what
worried me is none of the CISCO certified engineers on the project had
ever used it like this, even though CISCO document this approach. It is
only ever really intended as a transitional arrangement, whilst networks
got renumbered.
Certainly you can operate DNS behind NAT fine without any rewriting on
the contents of packets, for as long as you are prepared to handle the
special case of the cients behind the NAT, who may want the private
address of the DNS server (and other local services).
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/pvjCGFXfHI9FVgYRAl0UAKDSq1ihcnD7qAZjRyjDa+Chwy+phACfb228
6Lc31nf9eZdh4nWoKy9RnNI=
=MDLt
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list