At 6:31pm on Wed May 19 1993, tkevans @
fallst .
es .
dupont .
com (Tim Evans) said:
> Last week, I wrote:
>
> >I'd like to hear peoples' views on appropriate ways to set up
> >DNS in firewalled environments, particularly with respect to
> >preventing information about hosts inside the firewall from
> >being broadcast to the world at large via DNS, while at the
> >same time providing info about the world outside to all the
> >internal hosts.
>
> I received one other reply, which I could not figure out whether it was
> serious or smartass, so won't mention the sender's name. The suggestion
> was to "not register my domain". Perhaps I missed something, but I thought
> one had to register one's domain to be on the Internet and to use DNS.
> How I could do what I wanted with an unregistered domain is beyond me.
Right. If you're on the internet, your DNS must be using a registered name.
> Meanwhile, I've been studying the new O'Reilly book _DNS and Bind_
> and believe the solution to what I'm after is to use "internal
> root DNS servers," which know only about the internals of my network
> and about a "normal" DNS server on the firewall machine, which knows
> only about itself and the outside world.
Well, I'm surprisingly disappointed that you didn't get an adequate response.
Maybe nobody understood the question. I haven't tackled this problem at my
site yet, so let me give you my blind-leading-the-blind reply:
Smoot Carl-Mitchell of Texas Internet Consulting has developed something that
will do exactly what you want, I think. I think they are hacks to DNS which
allow you to run DNS out to the Internet from one side of your firewall,
while running a slightly different DNS internal to your firewall. This is a
common problem for people who want to hide internal host names, etc.
His address is smoot @
tic .
com, or you can just get the package via FTP from
tic.com, I think.
Here's some of the previous discussion about this topic:
At 11:56am on Tue Dec 22 1992, Donald R. Proctor (510/596-3828) <sybase!donp @
Sun .
COM> said:
>
> Previously, avalon @
coombs .
anu .
edu .
au (Darren Reed) said:
> > It has often been said that when setting up a firewall to allow DNS
> > packets with both source and dest. of port 53 through. There seems
> > to be an obvious flaw with this - what is to stop crackers using
> > this 'hole' ? I don't recall if this was allowed just as far as the
> > 'DMZ' or all the way through...
>
> The best approach is probably to set up an "internal" DNS domain and
> an "external" DNS domain. The internal domain servers would talk to
> internal root servers, and the external domain servers would talk to
> the "real" root servers.
>
> That way you don't need to open up port 53 from the DMZ to the internal
> network(s).
>
> Also, you may not have a need to advertise the name of every host on
> your network to the outside world. In this case, the "external" DNS
> server can operate with a very minimal DNS database configuration.
Todd Williams UNIX Systems Supervisor todd @
macsch .
com (213) 259-4973
MacNeal-Schwendler Corp. ("MSC"), 815 Colorado Blvd., Los Angeles, CA 90041
"Solaris 2.0 -- It's enough to make you leave the company." -Rob Kolstad
|
|
