Some addition to my previuos post: You can also use another BIND feature called "view" in such configurations. It's useful when you'd like to implement split-dns setup without having to run multiple dns servers. You can find some info here http://www.isc.org/sw/bind/arm95/Bv9ARM.ch06.html#id2585749
wbr, Artyom Davidov > I'm also curious why one should provide access to internal DNS > records thru NAT, but if you'd like > to provide access to some of your internal WEB or FTP servers to > external clients you'll have to > setup a Split-DNS configuration. > I don't know if M$ or some other commercial servers can support such > configurations, but > ISC BIND have such capabilities. Some info and configuration examles > can be found at http://www.isc.org/sw/bind/arm95/Bv9ARM.ch04.html#id2570613 > > Also you allways should think about security issues that can arrise > in such configurations. > > wbr, > Artyom Davidov > > Mailing list for discussion of Firewall-1 <[EMAIL PROTECTED] > US.CHECKPOINT.COM> 15.02.2008 17:25:12: > > > Question is... why would an external host need to access/query your > > internal DNS? > > > > Usually, any DNS records (that you want to publish) are already > > published on your ISP DNS servers and upward from there. > > > > If you are using the Internal DNS server to forward any DNS changes to > > the ISP then I suggest your internal domain to differ from your external > > domain...while one has the external IP address on the records while the > > other has the internal one. > > > > Myexternaldomain.com vs myinternaldomain.com > > > > If it is a VPN clients then, yes, it should reply with the internals IP > > address since you have a tunnel to your inside networks.. > > > > I am not aware of any other way to do this thru NAT... > > but I am sure someone will reply with a better method > > > > Regards > > > > -----Original Message----- > > From: Mailing list for discussion of Firewall-1 > > [mailto:[EMAIL PROTECTED] On Behalf Of Peter > > Olsson > > Sent: Friday, February 15, 2008 5:41 AM > > To: [email protected] > > Subject: [FW-1] Can Checkpoint firewall handle DNS through NAT? > > > > Our tests indicate that Checkpoint firewall has no support whatsoever > > for DNS through NAT. Not for zone transfers and not even for A records. > > Is this true, or am I missing something? > > > > An internal DNS server, with a static adress translation in the > > firewall, > > gives its internal IP number in responses to AXFR and A queries from > > external hosts. > > > > I searched documentation and support but find nothing on the subject. > > > > Thanks! > > > > -- > > Peter Olsson [EMAIL PROTECTED] > > > > Scanned by Check Point Total Security Gateway. > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [EMAIL PROTECTED] > > ================================================= > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [EMAIL PROTECTED] > > ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
