Firewall Wizards mailing list archives
Re: PIX, DNS fixups and Zone Transfers
From: Barney Wolff <barney () databus com>
Date: Tue, 27 May 2003 10:36:22 -0400
On Mon, May 26, 2003 at 09:55:50PM +0200, Bruce Smith wrote:
We've recently implemented a PIX (6.3) firewall setup, resulting in two DNS servers that were previously exposed in the outside network being moved behind the PIX into the DMZ, and getting 2 new IP addresses, eg 192.168.34.2 to 192.168.35.2. We mapped the original IP on the outside to the new IP on the DMZ via static commands and the proxy arp bits. On the DNS servers, the IP's referred to in the forward and reverse zones were been changed to match the current setup so that lookups by machines on the DMZ would work fine. So far so good. DNS fixup handles the translation of DNS lookups from outside perfectly. Thus arises our problem. Our DNS zones have one primary and 4 secondaries, three of which are on separate sites and continents. Now when they do a zone transfer of our zones, the mapped IP addresses are NOT changed in the zone, so looking up on those zones brings up the new IP address, not the old. That IP isn't visible on the 'Net. We hacked around the problem by giving each machine two names, eg dns1.domain.com and dns1r.domain.com. dns1.domain.com, the address known to the world at large, maps to the old IP. dns1r.domain.com is the new one. By some careful juggling of several crates of eggs, this is working, for the moment. However it is a precarious position to be in.
Since NAT actually adds no security, I'd put the nameservers on a DMZ of their own and not NAT between them and the Internet. For internal lookups, I'd use separate internal servers that forward to the DMZ servers for non-internal domains. Or use views to cause the DMZ servers to return different answers for queries from inside. You can still NAT between inside and outside if management insists. Your nameservers should not be outside the firewall; at least protect them with ACLs that allow only UDP+TCP to port 53 and nothing else. Honor zone transfer requests only from your known secondaries. Allow recursive lookups only from inside hosts. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX, DNS fixups and Zone Transfers Bruce Smith (May 27)
- Re: PIX, DNS fixups and Zone Transfers Barney Wolff (May 27)
- Re: PIX, DNS fixups and Zone Transfers Luca Berra (May 27)
- <Possible follow-ups>
- RE: PIX, DNS fixups and Zone Transfers Max Enders (May 27)
- RE: PIX, DNS fixups and Zone Transfers Reckhard, Tobias (May 28)