Firewall Wizards mailing list archives
Re: DNS behind a firewall with multiple domains?
From: Leonard Miyata <leonard () geminisecure com>
Date: Fri, 12 Mar 1999 16:48:13 -0800 (PST)
Have you considered setting up a DNS Bind Server with records of your internal networks and a Forwarder to your Firewall or a DNS Server on your DMZ. According to the 'Grasshopper' book (DNS and Bind 2nd Edition, O'Reilly & Associates, Inc), the internal records will always have priority over the forwarder directive.... Using the 'slave' directive will prevent Bind from doing non-local lookups from any other DNS server, other then the Forwarder.... Personal Opinion Provided By Leonard Miyata aka leonard () geminisecure com GEMINI COMPUTERS INC. On Fri, 12 Mar 1999, Joseph S D Yao wrote:
Behind our firewall(s), we have multiple domains with no common root (e.g., some are *.gov, some are *.mil). Each domain has its own name server, but there can be no single authoritative name server. We had been running a DNS server on a bastion host. Each domain's name server was forward-only to that server. That server allowed glue records, and had pointers back to the local name servers. So, it could resolve everything both inside the firewall and outside. We are now going over to a vendor-managed firewall service. Don't read me the reasons against this: it's worse than you think. If we have a need that they don't have a script for, we have to figure out how to do it, and then get charged for them doing it. But this was Mandated From On High. Other than that, in all fairness, the normal service is good. The loss of control over data security was accepted as a reasonable business risk. DNS is such a need. This particular brand of firewall runs a DNS proxy, 'dnsd', that maintains no DNS records itself - it just passes on queries and caches the answers. We haven't moved our DNS over to it, but it's part of the mandate to do so. So I have to figure out how. The problem: we need a name server that will accept queries, recurse on those for which it has LOCAL records for name servers, and forward the rest to the firewall. This doesn't seem to be a normal configuration for either BIND 4 or BIND 8 [with which I don't have a lot of experience yet]. We don't want the - necessarily internal - DNS server going off and recursing to a name server outside the firewall: it won't get there. We don't want it forwarding all of its queries to the firewall: they would then get sent outside, where they would never get resolved. (The firewall's limit on number of name servers it can remember is far less than the number of internal domains.) Thanks. -- Joe Yao jsdy () cospo osis gov - Joseph S. D. Yao COSPO/OSIS Computer Support EMT-A/B ----------------------------------------------------------------------- PLEASE ... send or Cc: all "COSPO/OSIS Computer Support" mail to sys-adm () cospo osis gov ----------------------------------------------------------------------- This message is not an official statement of COSPO policies.
Current thread:
- DNS behind a firewall with multiple domains? Joseph S D Yao (Mar 12)
- Re: DNS behind a firewall with multiple domains? Leonard Miyata (Mar 13)
- Re: DNS behind a firewall with multiple domains? Joseph S D Yao (Mar 16)
- Re: DNS behind a firewall with multiple domains? Leonard Miyata (Mar 16)
- Re: DNS behind a firewall with multiple domains? Joseph S D Yao (Mar 16)
- Re: DNS behind a firewall with multiple domains? Joseph S D Yao (Mar 16)
- Re: DNS behind a firewall with multiple domains? Leonard Miyata (Mar 13)
- Re: DNS behind a firewall with multiple domains? Don Turnbull (Mar 13)
- Re: DNS behind a firewall with multiple domains? Tim Kramer (Mar 15)
- Re: DNS behind a firewall with multiple domains? Joseph S D Yao (Mar 16)
- Re: DNS behind a firewall with multiple domains? Bennett Todd (Mar 17)
- Re: DNS behind a firewall with multiple domains? Joseph S D Yao (Mar 17)
- Re: DNS behind a firewall with multiple domains? Tim Kramer (Mar 15)
- <Possible follow-ups>
- RE: DNS behind a firewall with multiple domains? Burgess, John (EDS) (Mar 19)