Search This Blog

Thursday, June 23, 2011

Re: Modify one PTR in existing bind9 setup?

Michelle Konzack <linux4michelle@tamay-dogan.net> writes:

> Hello lee,
>
> Am 2011-06-22 22:48:58, hacktest Du folgendes herunter:
>> When the router is already asking <dns1.private> for the IP addresses of
>> the NTP servers the router wants to connect to, what prevents you from
>> making DNS entries on <dns1.private> which will resolve the queries of
>> the router to the IP addresses of your private NTP server?
>
> Because this route makes weird traffic. Since the router OS it is not
> Linux based I can not do very much as analyzing as best as possibel.
>
> It seems, the router has hardcoded routes and if I tell it to use
> <dns1.private> it makes lookups on it, but then I get connections from
> my router else where... asking for <178.63.64.14> and <109.75.190.27>.


,---- [ Message-ID: <20110622150732.GO4017@michelle1> ]
| The current setup is:
|
| <dns1@tamay-dogan.net>-+ +--<dns.private>
| <dns2@tamay-dogan.net>-+ +--<ntp.private>
| | +--<samba.private>
| INTERNET +---- router with a ----+
| | crappy NTP Client +--<michelle1.private>
| <ntp1_by_IP>-----------+ +--<devel.private>
| <ntp2_by_IP>-----------+
| capturing uncontrolled
| data from my router
`----


As long as your router is connected to the internet directly, I think
there isn´t anything you could do to prevent it from making connections
to hosts on the internet the way it wants to, unless you can make
settings in the router itself that would prevent it from doing so.

I don´t understand what this has to do with routing:


1.) If the router uses IP addresses of NTP servers instead of looking up
the IPs by hostnames, it doesn´t need to query your name server.

2.) If it queries your name server for IP addresses of NTP servers,
receives the IP addresses of them and then still connects to
different IP addresses than those given by your name server to send
NTP requests to, the router is broken (Or perhaps restarting it
helps?).


That leaves you with some options, listed in no particular order:


1.) replace the router

2.) Omit the router and use one of the hosts on the right side of your
schematic to replace it.

3.) Don´t connect the router to the internet directly but through one of
the hosts on the left side of your schematic. The host would capture
the NTP traffic and operate as a router for the router. (probably
not feasible)

4.) like 3.), but connecting the router to one of the hosts on the right
rather than on the left side

5.) leave it as it is

6.) turn off NTP in the router

7.) Make the manufacturer of the router fix the NTP client.

8.) If the router allows you to set static routes, set static routes for
the two IPs it sends NTP requests to. Add two network cards to one
of the hosts on the right side the static routes point to and give
them the IPs the router is sending its requests to. Attaching two
more IPs to an existing network card should suffice, though. The
disadvantage is that the hosts outside of your network which have
these IPs become unreachable from inside your network.


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/87boxoptqj.fsf@yun.yagibdah.de

No comments: