Reverse DNS delegation problem
phn at icke-reklam.ipsec.nu
phn at icke-reklam.ipsec.nu
Thu Jul 1 10:16:56 UTC 2004
Chittaranjan Mandal <Chittaranjan.Mandal at iitkgp.ac.in> wrote:
> [Reply to message from "phn at icke-reklam.ipsec.nu" on Tuesday 29 Jun 200=
4 5:37 pm]
>> >> Do you have forwarding enabled within the part of your named.conf y=
ou
>> >> didn't show? Forwarding would override delegation. In order to canc=
el
>> >> forwarding for the 10.in-addr.arpa hierarchy, you'd need to add
>> >> "forwarders { };" to the apex zone definition.
>> >
>> > Thanks, your solution worked. But I would like queries that are not =
served by
>>
>> > my local name server to be actually forwarded to some other name ser=
ver.
>> > How can that be done? Note that this particular nameserver is in a l=
ocal subnet
>> > and cannot directly communicate with the external world.
>>
>> Why do you want to increase your vulnerability by forwarding ? Does
>> it give you any beneifit ?
> I see only two options when I am behind a firewall and need to resolve =
public names.
> One is forwarding and the other is using query-source (not sure how thi=
s works).
You are saying that your firewall is so old that it cannot deal with=20
state ? Do yourself a favor and replace it. There is numerous=20
commercial and free that will allow UDP quesries from inside be=20
matched with the answer coming from outside.
> I could not get query-source working. I get the following error.
> ... could not get query source dispatcher (163.230.124.41#53)
> Having to rely on forwarding, I am forced to do away with delegation,
> since forwarding seems to enjoy precedence over delegation. I am
> able to get my setup working the hard way, by making the dns server the
> master or slave of each local zone.
> I would appreciate being shown an easier option.
As i said, change firewall ( maybe your firewall _can_ do this but
it's not correctly configured)
> -Chitta
--=20
Peter H=E5kanson =20
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out=
,
remove "icke-reklam" if you feel for mailing me. Thanx.
More information about the bind-users
mailing list