Question on query-source, transfer-source, notify-source
Barry Finkel
b19141 at anl.gov
Wed Jul 28 15:03:43 UTC 2010
I have a BIND config question. First some history.
My initial two DNS servers (A and B) had three NICs and three IP
addresses. Then I installed two additional servers (C and D),
each with one NIC; each server has one base address and one DNS address.
All four servers run Solaris. When I installed C and D, I placed in
the config file
query-source address <dns-address>;
transfer-source <dns-address>;
notify-source <dns-address>;
Then we changed servers A and B to new hardware, and we have in
addition to the three NICs each, a base, non-DNS address for each.
We made no config file changes, and no users have reported problems.
These "new" servers A and B have been running for a few years.
Now, I am converting all four servers to an Ubuntu platform, and I am
revisiting the config file. In looking through various firewall and
DNS query logs, I see that machines A and B are using the non-DNS
address for DNS activity. A and B are sending queries to the Internet
and queries to the hidden BIND master via the non-DNS addresses.
The Internet queries are being blocked at the firewall because we do
not allow non-registered DNS addresses to send DNS queries to the
Internet, and the non-DNS addresses have no firewall conduits.
I can add three options directives above, as I have done on servers
C and D, but the ARM seems to imply that I can list only one address
in each directive, and I have three DNS addresses for each server.
The BIND is 9.7.x on all machines. Does anyone have suggestions?
Thanks.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory Phone: +1 (630) 252-7277
9700 South Cass Avenue Facsimile:+1 (630) 252-4601
Building 240, Room 5.B.8 Internet: BSFinkel at anl.gov
Argonne, IL 60439-4828 IBMMAIL: I1004994
More information about the bind-users
mailing list