Tally wrote:
>
> here is the configuration:
>
> INTERNET
> |
> FIREWALL------DMZ----[dns,www,ftp servers]
> |
> CO. Network
>
> the DNS is in the DMZ. and this DNS is to have the
> entries for www,ftp and the firewall external IP
> address facing the internet.
>
> ok, how is this DNS to be configured.
> ALL HOSTS in the DMZ are to be hidden behind the
> firewall. so we have just IP address which is
> for the world. all others are hidden and NATed.
One missing piece from the above is what firewall product you are using.
A proxy will do this, but most include split DNS so you can run
internal/external right on the box itself. An external DNS server is not
required (except to maybe meet InterNIC requirements for 2 servers per
domain).
What you are really talking about doing is Port Address Translation
(PAT), not NAT. Depending on the implementation this may give you
trouble as typically a translation device will change the source port
number. If your DNS is talking to a non-recursive DNS server, the server
will expect both the source and destination ports to be 53. If the
source port has been changed to something else, the server will refuse
connection. This means you would be unable to resolve hosts in about
5%-10% of the domains on the Internet (apple.com is a good example).
So the real question is, what are you using for a firewall?
Cheers,
Chris
--
**************************************
[EMAIL PROTECTED]
* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
