Brooks Carlson wrote:
Hi Brooks,
> After some struggling with DHCP (finally got that working), now I am
> noticing in Checkpoint logs
> that the internal DNS server is trying to contact a.root-servers.net,
> b.root-servers.net, etc. I did not notice
> anything about these root-servers in DNS configurations at Phoneboy or
> Checkpoint's site.
Your DNS server (assuming Unix) would have a named.cache file (on Linux it
resides in /var/named usually, and is also sometimes call "named.ca"), which
defines the root servers.
In the process of DNS resolution your DNS server will first query (the root)
DNSs who will refer you to the first TLD DNS for the domain you are looking
for, you will then be referred to another DNS, and down the tree you go until
you find what your looking for. (Think of the domain as being backwards, (the
leading) dot signifies the root servers, thus you would lookup
".com.google.www" working your way down each part of the domain name, to the
entry your looking for. In this case, www of google with a TLD of .com)
The moral of the story is, the root servers simply refer you to the next DNS,
thus you must allow inbound->outbound connectivity to 'any', unless you can
predict you always lookup a finite set of domains and you have accounted for
every DNS in the chain in your firewall rules, but this also means if
anything is changed, your setup will break (read: this is not recommended)
There are a few ways to implement split-horizon DNS, some people configure
forwarders from the internal DNS to the external DNS, however this requires
your external DNS be recursive. (In my case i didn't want this)
In my particular setup, my internal DNSs are recursive, and my external DNSs
are non-recursive. There is a statefull firewall in between. Thus the
Internal DNSs uses a state rule to go out to (any) the Internet and lookup
anything they need (PIX has some added protection in this area for DNS
specifically over FW-1), while the border routers allow DNS queries from the
net to the external-side (non-recursive) DNSs.
Good Ingress rules at the border also helps strengthen the (flimsy) DNS ACLs
and make it harder for people to mess with things.
> Logs:
>
> Drop Internal_DNS a.root-servers.net UDP Rule16(drop rule)
> domain-udp
>
> I have a rule that says:
> Internal_Net DNS_Servers udp-domain,tcp-domain Accept loglong
>
> BUT I don't have a.root-servers.net,etc. listed in DNS_Servers. Should I?
> Is this strange?
Looks like the rule you have is a 'client-side' rule ie, your clients
querying your DNS server.
You also need a 'server-side' rule to allow your DNS out to the net, to
lookup whatever it needs.
(assuming a deny-all-outbound default rule), hence your logs say 'trying to
reach the root-servers' and getting dropped.
Without looking at a network diagram or the members of the groups in your
ruleset, it's difficult to guess what you
need to do exactly, but i hope this gives you some idea.
Cheers,
Chris.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
