If you want to have a DNS with private IP address to resolve the name of one or more services NAT-ed like WWW you must define on the DNS a zone using the public IP addresses ( the NAT-ed ) of all services including NS records.
In order to offer the name resolution to external using above DNS you just NAT the IP and port 53/UDP ( plus FW access allowed to that port ) into public one. For AXFR just add to the rules the port 53/TCP + into DNS config. the zone transfer rights. Please take care to the SmartDefense DNS obj. if you use the DNS predefined object port, you can create a simple one and in this case take care of the security at the application level directly on the DNS. If you have different accesses from internal and external you can solve the issue using views, I don't now the MS name for this functionality. Regards, Gabriel. -- -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Peter Olsson Sent: Friday, February 15, 2008 1:41 PM To: [email protected] Subject: [FW-1] Can Checkpoint firewall handle DNS through NAT? Our tests indicate that Checkpoint firewall has no support whatsoever for DNS through NAT. Not for zone transfers and not even for A records. Is this true, or am I missing something? An internal DNS server, with a static adress translation in the firewall, gives its internal IP number in responses to AXFR and A queries from external hosts. I searched documentation and support but find nothing on the subject. Thanks! -- Peter Olsson [EMAIL PROTECTED] Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
