4 Replies Latest reply on Feb 2, 2015 7:41 AM by trishoar

    Use MWGs named from inside

    bornheim

      Hi,

       

      I got this system inside my network which insists an talking to a DNS server to resolve some external addresses.

       

      I would like to offer MWGs named, but it has "listen-on port 53 { 127.0.0.1; };" configured, so it can't be reached from the network.

       

      Also, MWGs port forwarding mechanism is limited to TCP (this actually is xinetd's limitation), so I can't simply forward the traffic.

       

      If I mess with /etc/named.conf: will this change be persistent over MWG updates?

       

      Kind regards,

      Robert

        • 1. Re: Use MWGs named from inside

          The manual changes you make will not be preserved when you hit the save changes on MWG's GUI.

          Every time you save, the underlying named.conf gets re-written to reflect what the GUI has set.

          This is not going to be workable. You need a real DNS forwarder on another server.

          Something simple like dnsmasq might work or any of the opensource servers.

          • 2. Re: Use MWGs named from inside

            If the application is only looking for a couple of domains, you could have the primary DNS server have a zone to spoof that individual domain and return the desired IP address, or you can have that zone be a conditional forwarder to the internet to return the real IP addresses, depending on the desired results.

            • 3. Re: Use MWGs named from inside
              bornheim

              Hi,

               

              thanks for your quick answer. Fortunately I "found" another system in the border network I can use as DNS forwarder.

               

              Nonetheless I would like to encourage McAfee to rethink this topic. Actually MWG would become a perfect DNS forwarder by deleting 3 lines from /etc/named.conf:

              • listen-on port 53 { 127.0.0.1; };
              • listen-on-v6 port 53 { ::1; };
              • allow-query {localhost;};

               

              Kind regards,

              Robert

              • 4. Re: Use MWGs named from inside
                trishoar

                Hi Eric,

                 

                That's not entirely correct. I've made changes to the file /var/named/chroot/etc/named.conf.mwg and find that it is persistent until we do a service mwg restart.

                I'm doing this as I am redirecting Google to a different DNS server (it was the easiest way to get forcesafesearch.google.com working with out a DNS server that supports RPZ) since there are 199 domains for Google and I'm not going to enter all of them by hand on to 10+ servers in the conditional DNS forwarding list.

                 

                Tris