Firewall Wizards mailing list archives
DNS behind a firewall with multiple domains?
From: Joseph S D Yao <jsdy () cospo osis gov>
Date: Fri, 12 Mar 1999 15:12:26 -0500 (EST)
Here's a bread-and-butter question, with a twist. I'm surprised if our configuration is really unique; so I'm wondering if what I'm about to try has been done before. Behind our firewall(s), we have multiple domains with no common root (e.g., some are *.gov, some are *.mil). Each domain has its own name server, but there can be no single authoritative name server. We had been running a DNS server on a bastion host. Each domain's name server was forward-only to that server. That server allowed glue records, and had pointers back to the local name servers. So, it could resolve everything both inside the firewall and outside. We are now going over to a vendor-managed firewall service. Don't read me the reasons against this: it's worse than you think. If we have a need that they don't have a script for, we have to figure out how to do it, and then get charged for them doing it. But this was Mandated From On High. Other than that, in all fairness, the normal service is good. The loss of control over data security was accepted as a reasonable business risk. DNS is such a need. This particular brand of firewall runs a DNS proxy, 'dnsd', that maintains no DNS records itself - it just passes on queries and caches the answers. We haven't moved our DNS over to it, but it's part of the mandate to do so. So I have to figure out how. The problem: we need a name server that will accept queries, recurse on those for which it has LOCAL records for name servers, and forward the rest to the firewall. This doesn't seem to be a normal configuration for either BIND 4 or BIND 8 [with which I don't have a lot of experience yet]. We don't want the - necessarily internal - DNS server going off and recursing to a name server outside the firewall: it won't get there. We don't want it forwarding all of its queries to the firewall: they would then get sent outside, where they would never get resolved. (The firewall's limit on number of name servers it can remember is far less than the number of internal domains.) We have been running BIND 4.9.7. We are running it because we have a way to use the glue records with it on the old firewalls, and the people working on that hadn't figured out how to use BIND 8 to get the same effect. For my part, I can't see how to use either BIND 4 or BIND 8 to get the new effect, so I am set to modify BIND 4 [which I've modified before] to allow a command to forward only if a query is not local, and to recurse on "local" queries. Has anyone had a configuration like this before? Does anyone know of a way to subvert, excuse me, use BIND to do what we need to do? Thanks. -- Joe Yao jsdy () cospo osis gov - Joseph S. D. Yao COSPO/OSIS Computer Support EMT-A/B ----------------------------------------------------------------------- PLEASE ... send or Cc: all "COSPO/OSIS Computer Support" mail to sys-adm () cospo osis gov ----------------------------------------------------------------------- This message is not an official statement of COSPO policies.
Current thread:
- DNS behind a firewall with multiple domains? Joseph S D Yao (Mar 12)
- Re: DNS behind a firewall with multiple domains? Leonard Miyata (Mar 13)
- Re: DNS behind a firewall with multiple domains? Joseph S D Yao (Mar 16)
- Re: DNS behind a firewall with multiple domains? Leonard Miyata (Mar 16)
- Re: DNS behind a firewall with multiple domains? Joseph S D Yao (Mar 16)
- Re: DNS behind a firewall with multiple domains? Joseph S D Yao (Mar 16)
- Re: DNS behind a firewall with multiple domains? Leonard Miyata (Mar 13)
- Re: DNS behind a firewall with multiple domains? Don Turnbull (Mar 13)
- Re: DNS behind a firewall with multiple domains? Tim Kramer (Mar 15)
- Re: DNS behind a firewall with multiple domains? Joseph S D Yao (Mar 16)
- Re: DNS behind a firewall with multiple domains? Bennett Todd (Mar 17)
- Re: DNS behind a firewall with multiple domains? Joseph S D Yao (Mar 17)
- Re: DNS behind a firewall with multiple domains? Tim Kramer (Mar 15)
- <Possible follow-ups>
- RE: DNS behind a firewall with multiple domains? Burgess, John (EDS) (Mar 19)