RE: [fw-wiz] PIX, DNS fixups and Zone Transfers
From: Max Enders (Max.Enders_at_watchguard.com)
Date: 05/27/03
- Previous message: R. DuFresne: "Re: [fw-wiz] What challenges are security admins facing?"
- Maybe in reply to: Bruce Smith: "[fw-wiz] PIX, DNS fixups and Zone Transfers"
- Next in thread: Reckhard, Tobias: "RE: [fw-wiz] PIX, DNS fixups and Zone Transfers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <firewall-wizards@honor.icsalabs.com> Date: Tue, 27 May 2003 10:37:56 -0700
Bruce,
You need to configure split horizon DNS. You should find plenty of information if you google it.
Regards,
Max Enders
> -----Original Message-----
> From: Bruce Smith [mailto:bruce_the_loon@worldonline.co.za]
> Sent: Monday, May 26, 2003 12:56 PM
> To: firewall-wizards@honor.icsalabs.com
> Subject: [fw-wiz] PIX, DNS fixups and Zone Transfers
>
>
> Hi
>
> We've recently implemented a PIX (6.3) firewall setup,
> resulting in two DNS
> servers that were previously exposed in the outside network
> being moved
> behind the PIX into the DMZ, and getting 2 new IP addresses,
> eg 192.168.34.2
> to 192.168.35.2. We mapped the original IP on the outside to
> the new IP on
> the DMZ via static commands and the proxy arp bits. On the
> DNS servers, the
> IP's referred to in the forward and reverse zones were been
> changed to match
> the current setup so that lookups by machines on the DMZ
> would work fine. So
> far so good. DNS fixup handles the translation of DNS lookups
> from outside
> perfectly.
>
> Thus arises our problem. Our DNS zones have one primary and 4
> secondaries,
> three of which are on separate sites and continents. Now when
> they do a zone
> transfer of our zones, the mapped IP addresses are NOT
> changed in the zone,
> so looking up on those zones brings up the new IP address,
> not the old. That
> IP isn't visible on the 'Net. We hacked around the problem by
> giving each
> machine two names, eg dns1.domain.com and dns1r.domain.com.
> dns1.domain.com,
> the address known to the world at large, maps to the old IP.
> dns1r.domain.com is the new one. By some careful juggling of
> several crates
> of eggs, this is working, for the moment. However it is a precarious
> position to be in.
>
> As far as I can tell, I'll have to being the laborious
> process of changing
> our DNS by exposing the new IP directly, while still
> listening on the old
> one via alias or something, and then getting hold of our
> secondaries and
> having them change the slave zones. Once all that is up and
> running, we have
> to let the parent zones for our domains know about the new
> IP's so they can
> hand off properly. And not to mention getting the domains we
> are secondaries
> for to update their stuff.
>
> So in quiet desperation, does anyone have a better idea of
> how to fix this
> situation? Is there a PIX switch I missed? A zone transfer
> fixup? Or should
> I place our DNS's outside the firewall and hope they're as
> hard as we think
> they are?
>
> Thanks in advance for any ideas and comments you may have. If
> I gave you a
> headache with this email, it can't cut close to the one this
> problem has
> given us.
>
> Bruce A Smith
> Internet Services Administrator
> PE Technikon
> South Africa.
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: R. DuFresne: "Re: [fw-wiz] What challenges are security admins facing?"
- Maybe in reply to: Bruce Smith: "[fw-wiz] PIX, DNS fixups and Zone Transfers"
- Next in thread: Reckhard, Tobias: "RE: [fw-wiz] PIX, DNS fixups and Zone Transfers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
