Firewall Wizards mailing list archives
PIX, DNS fixups and Zone Transfers
From: "Bruce Smith" <bruce_the_loon () worldonline co za>
Date: Mon, 26 May 2003 21:55:50 +0200
Hi We've recently implemented a PIX (6.3) firewall setup, resulting in two DNS servers that were previously exposed in the outside network being moved behind the PIX into the DMZ, and getting 2 new IP addresses, eg 192.168.34.2 to 192.168.35.2. We mapped the original IP on the outside to the new IP on the DMZ via static commands and the proxy arp bits. On the DNS servers, the IP's referred to in the forward and reverse zones were been changed to match the current setup so that lookups by machines on the DMZ would work fine. So far so good. DNS fixup handles the translation of DNS lookups from outside perfectly. Thus arises our problem. Our DNS zones have one primary and 4 secondaries, three of which are on separate sites and continents. Now when they do a zone transfer of our zones, the mapped IP addresses are NOT changed in the zone, so looking up on those zones brings up the new IP address, not the old. That IP isn't visible on the 'Net. We hacked around the problem by giving each machine two names, eg dns1.domain.com and dns1r.domain.com. dns1.domain.com, the address known to the world at large, maps to the old IP. dns1r.domain.com is the new one. By some careful juggling of several crates of eggs, this is working, for the moment. However it is a precarious position to be in. As far as I can tell, I'll have to being the laborious process of changing our DNS by exposing the new IP directly, while still listening on the old one via alias or something, and then getting hold of our secondaries and having them change the slave zones. Once all that is up and running, we have to let the parent zones for our domains know about the new IP's so they can hand off properly. And not to mention getting the domains we are secondaries for to update their stuff. So in quiet desperation, does anyone have a better idea of how to fix this situation? Is there a PIX switch I missed? A zone transfer fixup? Or should I place our DNS's outside the firewall and hope they're as hard as we think they are? Thanks in advance for any ideas and comments you may have. If I gave you a headache with this email, it can't cut close to the one this problem has given us. Bruce A Smith Internet Services Administrator PE Technikon South Africa. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX, DNS fixups and Zone Transfers Bruce Smith (May 27)
- Re: PIX, DNS fixups and Zone Transfers Barney Wolff (May 27)
- Re: PIX, DNS fixups and Zone Transfers Luca Berra (May 27)
- <Possible follow-ups>
- RE: PIX, DNS fixups and Zone Transfers Max Enders (May 27)
- RE: PIX, DNS fixups and Zone Transfers Reckhard, Tobias (May 28)