Article delegate-en/1301 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A1295@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: delegate and dialup (DELAY)
23 Aug 2001 11:28:52 GMT Thomas Bott <pbucqbdyi-5sbstgfvvwxr.ml@ml.delegate.org>


Hi again!

Our network consists of an gateway-server running several delegate proxies and
an internal intranet.-server running bind-xxx. For security issues the
gateway-server contacts the internal dns-server. If the internal dns-server
can't resolve the query, it contacts  the delegate-dns-proxy running on the
gateway-server which forwards the query to an external dns-server. 
In addition an SMTP delegate-proxy is running on the gateway that relays all
incoming email (internal) directly to the smtp-server of the destination domain.
The problem we're facing is as follows:

- eMail that is sent to an existing domain (valid DNS and MX-record) is relayed
correctly
- eMail that is sent to an unknown domain (no DNS and MX-record or timeout)
isn't relayed correctly. 
In this case the delegate dns-proxy tries to resolve the domain-name
[foobar.de] unsuccesfully. Then it appends the internal domain-name that is an
unofficial subdomain [intranet.domain.de] of our existing second-level domain
[domain.de]. The resulting query for the MX-record is
"foobar.de.intranet.domain.de" which is interpretated as a subdomain of our
second level domain. Therefor all eMail to domains with no dns-record or an
dns-timeout will be sent to our ISP. 

To make it short, a DNS-MX query by using "nslookup" returns the IP of our ISP,
even for an nonexisting domains.


Shematic of our network and dial-up connection.

/------------\              /--------------\           /----------------------\
| internet  |    <->   |  gateway   |  <-> |  intranet-server  |
\------------/              \--------------/           \----------------------/

We've tested the following combinations: 

TYPE1: 
DNS-query [www.foo.bar] on "gateway":  
gateway -> intranet-server [bind] -> gateway [delegate-dns-proxy] -> internet
[external bind]  -> gateway [delegate-dns-proxy] -> intranet-server [bind] ->
gateway

TYPE2:
DNS-query [www.foo.bar] on "gateway":  
gateway -> intranet-server [bind] -> gateway [MASQ] -> internet [external bind]
-> gateway [MASQ] -> intranet-server [bind] -> gateway

TYPE3:
DNS-query [www.intranet.domain.de] on gateway: 
gateway -> intranet-server [bind] -> gateway

We've tested several combinations and each time we're using the delegate
DNS-proxy with a nonexisting domain name, the bogus MX-record is returned.

The Delegated DNS-config:
 /usr/local/bin/delegated -S  OWNER=delegate ADMIN=root@domain..de
TIMEOUT=restart:2h DGROOT=/var/spool/delegate TIMEOUT=shutout:5s
AUTH=admin:*:root -P53 SERVER=dns RESOLV=cache,dns
RES_NS=195.226.96.132,195.226.96.131 HOSTS=gateway.intranet.domain.de/127.0.0.1&


Regards,

Thomas Bott, Christian Rost

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V