Hi,
How about considering Hidden DNS or Split Domain Name services (Firewall
acting as virtual DNS server for the external world)
prashanth
> -----Original Message-----
> From: Roger Books [SMTP:[EMAIL PROTECTED]]
> Sent: Saturday, April 10, 1999 5:48 AM
> To: Tally
> Cc: [EMAIL PROTECTED]
> Subject: Re: DNS in the DMZ
>
> On 9-Apr-99 at 16:09, Tally ([EMAIL PROTECTED]) wrote:
> > here is the configuration:
> >
> > INTERNET
> > |
> > FIREWALL------DMZ----[dns,www,ftp servers]
> > |
> > CO. Network
> >
> > the DNS is in the DMZ. and this DNS is to have the
> > entries for www,ftp and the firewall external IP
> > address facing the internet.
> >
> > ok, how is this DNS to be configured.
> > ALL HOSTS in the DMZ are to be hidden behind the
> > firewall. so we have just IP address which is
> > for the world. all others are hidden and NATed.
> >
> > please email me asap
> >
>
> Make sure your DNS is configured to not do zone transfers
> to the outside world. In addition, this is a bit of a
> nuisance, however...
>
> Add an entry for every NAT address you will be using from
> the inside. IE if it is going to look from the outside
> like you have a class C then add 254 entries with made
> up names. Make sure you put reverses in for each of these.
>
> If you don't do the second when someone inside hits some
> of the FTP sites, or they hit sites dealing with crypto
> they will be refused.
>
> Let's see, you should also turn off request forwarding
> to the ouside world. Someone at www.isp.joe.com should
> not be using your machine to look up yahoo.com if your
> machine is dns.bogus.org.
>
> Read the documentation with your version of DNS (and
> hopefully you are installing a recent unix version of
> bind), it should go into the why's and wherefores of
> what I have mentionned, along with some things I am
> probably missing.
>
> Roger Books
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
