> > I'd suggest configuring dnscache to listen on the 64.4.197.65 IP for > > your DMZ hosts. You can setup a second dnscache to listen on > > 192.168.1.254 for your internal network. The two tinydns instances can > > be run on loopback interfaces (there's more than just 127.0.0.1 > > available, remember...in fact, there's a whole class A) or additional > > private IP's from your internal network (ie 192.168.1.253) as desired. > > Yes, I see the logic; but, what is wrong -- or, worse, impossible -- > with my desire to correct the underlying problem and dnscache will serve > both networks? > > Since dnscache cannot be poisoned, and the answers it gathers are > authoritative, and we can restrict the source of questions to which it > responds, why do we need more than one (1) to serve these two (2) > networks?
Because you didn't want DMZ systems to be able to resove names for private internal systems. This requires two instances of dnscache, or bind with multiple zones. > Isn't this really a routing and ipchains problem? Is there a solution > in that context? Yes, and there is probably an ipchains solution. If it was me, however, I'd probably just configure dnscache to listen to 0.0.0.0 (like you had it already, IIRC), and tell the internal systems to use 192.168.1.254 for DNS, and your DMZ systems to use 64.4.197.65. That should side-step the masquerading issue, which is kind of a tricky problem to solve cleanly, since you're basically trying to secure DMZ access to resources on the internal network (generally a bad idea). If you really want to stick with one IP for dnscache, it should be 64.4.197.65. Since this is a DMZ IP address, the ipchains rules should already be setup, since internal systems are allowed free (but masqueraded) access to the DMZ already. I haven't tried this with dns, but I can ssh & snmp to any of the IP's on a firewall (including public IP & DMZ IP) from the internal network, so I'd think dns should work too... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
