Firewall Wizards mailing list archives

PIX, DNS fixups and Zone Transfers

From: "Bruce Smith" <bruce_the_loon () worldonline co za>
Date: Mon, 26 May 2003 21:55:50 +0200

Hi

We've recently implemented a PIX (6.3) firewall setup, resulting in two DNS
servers that were previously exposed in the outside network being moved
behind the PIX into the DMZ, and getting 2 new IP addresses, eg 192.168.34.2
to 192.168.35.2. We mapped the original IP on the outside to the new IP on
the DMZ via static commands and the proxy arp bits. On the DNS servers, the
IP's referred to in the forward and reverse zones were been changed to match
the current setup so that lookups by machines on the DMZ would work fine. So
far so good. DNS fixup handles the translation of DNS lookups from outside
perfectly.

Thus arises our problem. Our DNS zones have one primary and 4 secondaries,
three of which are on separate sites and continents. Now when they do a zone
transfer of our zones, the mapped IP addresses are NOT changed in the zone,
so looking up on those zones brings up the new IP address, not the old. That
IP isn't visible on the 'Net. We hacked around the problem by giving each
machine two names, eg dns1.domain.com and dns1r.domain.com. dns1.domain.com,
the address known to the world at large, maps to the old IP.
dns1r.domain.com is the new one. By some careful juggling of several crates
of eggs, this is working, for the moment. However it is a precarious
position to be in.

As far as I can tell, I'll have to being the laborious process of changing
our DNS by exposing the new IP directly, while still listening on the old
one via alias or something, and then getting hold of our secondaries and
having them change the slave zones. Once all that is up and running, we have
to let the parent zones for our domains know about the new IP's so they can
hand off properly. And not to mention getting the domains we are secondaries
for to update their stuff.

So in quiet desperation, does anyone have a better idea of how to fix this
situation? Is there a PIX switch I missed? A zone transfer fixup? Or should
I place our DNS's outside the firewall and hope they're as hard as we think
they are?

Thanks in advance for any ideas and comments you may have. If I gave you a
headache with this email, it can't cut close to the one this problem has
given us.

Bruce A Smith
Internet Services Administrator
PE Technikon
South Africa.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

PIX, DNS fixups and Zone Transfers Bruce Smith (May 27)
- Re: PIX, DNS fixups and Zone Transfers Barney Wolff (May 27)
- Re: PIX, DNS fixups and Zone Transfers Luca Berra (May 27)
- <Possible follow-ups>
- RE: PIX, DNS fixups and Zone Transfers Max Enders (May 27)
- RE: PIX, DNS fixups and Zone Transfers Reckhard, Tobias (May 28)