Firewall Wizards mailing list archives

Re: DNS query

From: Robert Graham <robert_david_graham () yahoo com>
Date: Tue, 24 Aug 1999 11:19:47 -0700 (PDT)


--- Sandy Green <sand232 () yahoo com> wrote:

I wanted to know as to how to go about with the DNS configuration with
the following scenario.

    INTERNET
          |
     firewall
          |
      Network 1
         |
     Network 2

The network 1 consists of registerd IP adresses.
while Network  2 consists of 10.x.x.x addresses.
Network2 has its own DNS server and entries.

Question is that I want that the hosts in Network 2 be able to resolve
the Internet domain names. so please let me know as to where and how to
go about with the DNS configuration. 
Please note that the Network 1 IP addresses do not have a domain name.
They are just plain hosts with registerd IP addresses....  so presently
what the hosts in network are pointing a host in the Internet for name
resolution...

please email me your replies


There is a lot of routing issues that you haven't discussed, but I will assume
that Net2 and Net1 can route with each other. The simplest solution is to setup
a DNS server on Net1, and point all your Net2 machines at it. In fact, you
should really be pointing your Net1 clients at it, too. There are a number of
DNS hacks that probably aren't being caught or logged by your firewall that can
be done against clients, so you probably want to localize all such traffic to a
single DNS server running the latest version of software. You also get the
benefit/harm of caching the DNS responses (caching often will increase response
time, but you really want to set your cache timeout to be low in order to be
resonsive to Internet changes).

Also remember to setup "split DNS", which simply means that anybody doing a
Zone Transfer on an externally visible DNS server should not be able to see any
internal objects, including those on the 10.x.x.x networks. (Of course, some
people like to falsify such information for intrusion detection purposes, but
that's a different matter).

Rob.
===
Robert Graham
"Anxiously awaiting the millenium so I can start programming
dates with 2-digits again."
__________________________________________________
Do You Yahoo!?
Bid and sell for free at http://auctions.yahoo.com

Current thread:

DNS query Sandy Green (Aug 23)
- <Possible follow-ups>
- RE: DNS query sean . kelly (Aug 24)
- Re: DNS query Robert Graham (Aug 24)
- RE: DNS query Pearson, Scott (Aug 26)