On Fri, Feb 15, 2008 at 08:25:12AM -0600, Previtera, Sal wrote: > Question is... why would an external host need to access/query your > internal DNS?
Badly phrased by me, sorry. It's not the internal DNS, it's an external DNS that is placed on a DMZ interface in the firewall. We will probably solve this by using the external NAT IP number in the A record for the DNS server, if that doesn't cause any problems for the server itself or its external secondaries. Initial testing seems fine. Otherwise we may have to setup a DMZ net with public IP numbers, so we can avoid using NAT for the DNS server. Peter Olsson > Usually, any DNS records (that you want to publish) are already > published on your ISP DNS servers and upward from there. > > If you are using the Internal DNS server to forward any DNS changes to > the ISP then I suggest your internal domain to differ from your external > domain...while one has the external IP address on the records while the > other has the internal one. > > Myexternaldomain.com vs myinternaldomain.com > > If it is a VPN clients then, yes, it should reply with the internals IP > address since you have a tunnel to your inside networks.. > > I am not aware of any other way to do this thru NAT... > but I am sure someone will reply with a better method > > Regards > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] On Behalf Of Peter > Olsson > Sent: Friday, February 15, 2008 5:41 AM > To: [email protected] > Subject: [FW-1] Can Checkpoint firewall handle DNS through NAT? > > Our tests indicate that Checkpoint firewall has no support whatsoever > for DNS through NAT. Not for zone transfers and not even for A records. > Is this true, or am I missing something? > > An internal DNS server, with a static adress translation in the > firewall, > gives its internal IP number in responses to AXFR and A queries from > external hosts. > > I searched documentation and support but find nothing on the subject. > > Thanks! > > -- > Peter Olsson [EMAIL PROTECTED] ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
