Firewall Wizards mailing list archives
BIND, forwarding and firewalls (long)
From: Steve.Bleazard () wdr com
Date: Sun, 11 Oct 1998 12:51:35 +0700
All Folowing on from the recent BIND discussion I have been looking at some of the issues that exist with using the current bind (8.1.2) on a firewall: 1. In a firewall environment it is often the case that requests must be forwarded to different servers depending on the domain. The BIND TODO mentions zone based forwarding but does not expand. The model that seems to best fit is one in which a new zone type of 'forward' is implemented which forwards all requests for that zone to specified servers. 2. It is usually the case that only the firewall has access to exteral nameservers and "internal" machines must use the nameserver on the firewall to resolve addresses. In this case non-recursive queries do not make any sense. Unfortunately it is not always possible to be sure that all requests will have the rd bit set. To resolve this issue it appears desirable to globally force BIND to treat all requests as being recursive. 3. If internal machines have no access to external nameservers then returning information in the authoratitive and additional resource sections of the reply does not make sense. In fact, including this information may break name resolution if an internal nameserver without access to external nameservers is involved. To solve this problem it would be desirable to have a way of controlling the inclusion of this information, preferably on a per-zone basis. 4. Caching can also cause problems where vendors are using the nameserver to handle load balancing and redundancy. Obviously the correct way to do this is to specify a low (0?) TTL thus rapidly expiring cache entry. However, broken implementations can fail to do this. As a result per zone control of caching would be useful. I would be interested in any comments on these issues. Experimentally, I have developed patches to reslove the first three of these, the following details the implementation. 1. Zone forewarding. I have added a new zone type 'forward' that expects a 'forwarders' zone option specifying where to forward requests for names in the specified zone. Thus, zone "foo.com" in { type forward; forwarders { 1.2.3.4; 5.6.7.8; }; }; Will forward requests for names in the foo.com to 1.2.3.4 and 5.6.7.8. The implementation uses the same mechanism as the global forwarders option. 2. Recursion. The recurse global option now handles an extra value of 'always' which forces BIND to assumes all queries are recursive. 3. Replies with information in the authoratitive and additional sections. A new global and zone specific option has been added: 'reply-glue [yes|no]'. Specifying an option of 'reply-glue no' globally forces stripping of all authoratitive and additional records while as a zone option the stripping only applies to requests serviced by the zone. 4. Cache control. This is not implemented as yet but should be trivial as it will use much the same internal mechanism as the zone specific reply-glue. If anyone is interested in these mods please let me know. Steve
Current thread:
- BIND, forwarding and firewalls (long) Steve . Bleazard (Oct 13)
- Re: BIND, forwarding and firewalls (long) Rob Quinn (Oct 16)