[fw-wiz] PIX, DNS fixups and Zone Transfers

From: Bruce Smith (bruce_the_loon_at_worldonline.co.za)
Date: 05/26/03

  • Next message: Meindert Uitman: "[fw-wiz] IPSEC(sa_initiate): ACL = deny; no sa created"
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Mon, 26 May 2003 21:55:50 +0200
    

    Hi

    We've recently implemented a PIX (6.3) firewall setup, resulting in two DNS
    servers that were previously exposed in the outside network being moved
    behind the PIX into the DMZ, and getting 2 new IP addresses, eg 192.168.34.2
    to 192.168.35.2. We mapped the original IP on the outside to the new IP on
    the DMZ via static commands and the proxy arp bits. On the DNS servers, the
    IP's referred to in the forward and reverse zones were been changed to match
    the current setup so that lookups by machines on the DMZ would work fine. So
    far so good. DNS fixup handles the translation of DNS lookups from outside
    perfectly.

    Thus arises our problem. Our DNS zones have one primary and 4 secondaries,
    three of which are on separate sites and continents. Now when they do a zone
    transfer of our zones, the mapped IP addresses are NOT changed in the zone,
    so looking up on those zones brings up the new IP address, not the old. That
    IP isn't visible on the 'Net. We hacked around the problem by giving each
    machine two names, eg dns1.domain.com and dns1r.domain.com. dns1.domain.com,
    the address known to the world at large, maps to the old IP.
    dns1r.domain.com is the new one. By some careful juggling of several crates
    of eggs, this is working, for the moment. However it is a precarious
    position to be in.

    As far as I can tell, I'll have to being the laborious process of changing
    our DNS by exposing the new IP directly, while still listening on the old
    one via alias or something, and then getting hold of our secondaries and
    having them change the slave zones. Once all that is up and running, we have
    to let the parent zones for our domains know about the new IP's so they can
    hand off properly. And not to mention getting the domains we are secondaries
    for to update their stuff.

    So in quiet desperation, does anyone have a better idea of how to fix this
    situation? Is there a PIX switch I missed? A zone transfer fixup? Or should
    I place our DNS's outside the firewall and hope they're as hard as we think
    they are?

    Thanks in advance for any ideas and comments you may have. If I gave you a
    headache with this email, it can't cut close to the one this problem has
    given us.

    Bruce A Smith
    Internet Services Administrator
    PE Technikon
    South Africa.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Meindert Uitman: "[fw-wiz] IPSEC(sa_initiate): ACL = deny; no sa created"