Re: DNS records for a firewall NAT pool

[Barney Wolff <barney () databus com>]

On Mon, Jul 28, 2003 at 02:51:42PM -0700, Pollock, Joseph wrote:
> What DNS records are appropriate for addresses in a firewall NAT pool?
>
> We have long provided dummy PTR records for the addresses to deal with
> software that does a reverse lookup.  We have not configured matching A
> records, feeling it was inappropriate and likely in conflict with, for
> example, RFC 2182, since the hosts are not directly reachable.
>
> We are suddenly faced with a researcher who cannot connect to a well-known
> database.  The site tells me they use TCPWrappers in a manner that requires
> matching forward and reverse lookups to pass the connection on to the
> server.
>
> We could, of course, configure a static NAT entry for the two hosts
> required; my management prefers to not do this for a variety of reasons.
>
> What are the implications of populating our DNS server with matching dummy A
> records for all of our firewall pool? 

There are no security risks.  The name the PTR points to merely has to
map back to the IP.  It does not have to match what the host thinks
of as its own name.  It does not have to have an MX record, just an A.
It does not have to add any information not already in the IP address.
For example, 66.114.72.185 -> p72-185.acedsl.com -> 66.114.72.185 , done
by my ISP.

-- 
Barney Wolff         http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards