This is how we do it genrally: 1) Set-up your internal dns but in its cache file mention th firewall instead of root servers.
. 9999999999 IN NS DMZ.DNS. DMZ.DNS. IN A xx.xx.xx.xx ---> ip of your DNS machine in DMZ 2) Set-up a DNS in your DMZ segment.. Make it authoritative for your public domain (.com etc) but not containing any names for intranet. If you want this machine should query your internal DNS but not serve it to the Internet you can change its resolv.conf file to point to your internal DNS. domain company-name.sec nameserver yy.yy.yy.yy ---> your internal DNS machine Or you can make this change on your network/tcpip/properties/DNS Search Order.. iy you're using a wintel machine Then you can resolve internal names too. If you won't serve your public domain with this server you can set it up as a caching only nameserver so that it can speed up name lookups located in cache.. This way you can keep your internal hosts over the W2K machine so that systems located in Intranet can query names belonging to internal metwork. (We generally use company-name.sec domain for intranet that is no existed domain so that won't be meaningful except your intranet). This DNS machine could answer queries both for intranet and internet by querying your DNS server in DMZ Regards, Kerem ERSOY / Sibernet ----- Original Message ----- From: "Rick Brown" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: 04 Aralik 2001 Sali 22:00 Subject: Re: DNS in DMZ > I guess I'm just over-thinking it! So what's the most > secure way of allowing my internal DNS to query the > ISP's DNS for internet address resolution? The > internal DNS server is W2K. > --- [EMAIL PROTECTED] wrote: > > On 4 Dec 2001, at 10:39, Rick Brown wrote: > > > > > This is a little off topic but I thought you guys > > would be the > > > one's to ask. I only have a mail server and a web > > server (for > > > web-based email access) in my DMZ. Do I have to > > have a DNS server > > > in the DMZ or can I just use my ISP's DNS? I have > > an internal DNS > > > server(s). What are the drawbacks to using my > > ISP's DNS. I won't > > > need to make very many DNS changes in the future > > so I'm not > > > concerned with how long it takes to make a DNS > > update. I know the > > > other way to go would be a split-DNS setup. Any > > help/advice would > > > be greatly appreciated. Thanks. > > > > Who would use this DNS? > > > > 1. Local internals -- they can use the internal DNS, > > which probably > > lists internal private machines that you don't want > > publicly listed > > anyway. > > > > 2. The DMZ servers -- your web server, for instance, > > might need to > > find an internal back-end database server. If > > you're not comfortable > > letting them use the internal DNS server, give them > > a hosts file that > > just lists what they need. > > > > 3. Outsiders trying to find your DMZ servers -- if > > your ISP will host > > DNS for you, that's one less thing you need to > > manage locally. > > > > Seems like a no-brainer to me. Is there some > > scenario I've > > overlooked? > > > > DG > > > > > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls > > > __________________________________________________ > Do You Yahoo!? > Buy the perfect holiday gifts at Yahoo! Shopping. > http://shopping.yahoo.com > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
