On 9-Apr-99 at 16:09, Tally ([EMAIL PROTECTED]) wrote:
> here is the configuration:
>
> INTERNET
> |
> FIREWALL------DMZ----[dns,www,ftp servers]
> |
> CO. Network
>
> the DNS is in the DMZ. and this DNS is to have the
> entries for www,ftp and the firewall external IP
> address facing the internet.
>
> ok, how is this DNS to be configured.
> ALL HOSTS in the DMZ are to be hidden behind the
> firewall. so we have just IP address which is
> for the world. all others are hidden and NATed.
>
> please email me asap
>
Make sure your DNS is configured to not do zone transfers
to the outside world. In addition, this is a bit of a
nuisance, however...
Add an entry for every NAT address you will be using from
the inside. IE if it is going to look from the outside
like you have a class C then add 254 entries with made
up names. Make sure you put reverses in for each of these.
If you don't do the second when someone inside hits some
of the FTP sites, or they hit sites dealing with crypto
they will be refused.
Let's see, you should also turn off request forwarding
to the ouside world. Someone at www.isp.joe.com should
not be using your machine to look up yahoo.com if your
machine is dns.bogus.org.
Read the documentation with your version of DNS (and
hopefully you are installing a recent unix version of
bind), it should go into the why's and wherefores of
what I have mentionned, along with some things I am
probably missing.
Roger Books
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
