Firewalls: Re: DNS help required ...

Firewalls
(March 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Re: DNS help required ...
From:	S30831%DNC @ utrcgw . utc . com
Date:	22 Mar 1994 11:17:32 -0400 (EDT)
To:	firewalls @ GreatCircle . COM


The problem of internal subdomains being able to both resolve addresses
in other sub-domains -and- resolve outside Internet addresses has come
up a few times. As far as I can see, any combination of forwarder/slave
in the Server SubD won't do the trick. No forwarders line in SubD will
cause the subdomain servers to try the Internet root servers first (which,
since they are trapped by the firewall, cause time-outs). Server TopD,
on the other hand, works very well - clients pointing to it can resolve
all addresses for internal sub-domains and Internet addresses.


        Server TopD              
       ---------------                       Server Fwall
      | Authoritative |                     -------------
      |  for top-level| --forwarders-->     | Resolves   |          
      | local domain  |                     |  Internet  |
      |_______________|                     |  Addresses |            
                                             ------------
               \                                    /        
                \                                  /
              forwarders?                      forwarders?
                  \                              /
                   \                            /
                    \                          /     
                     \                        /     
                      \     Server SubD      /
                          ----------------
                          | Authoritative |
                          | for local     |
                          | Sub-domains   |
                           ---------------



To summarize from the answers I received:

The internal servers must cache all internal zones.


I have implemented the quick solution offered by 
hening .
 tranberg @
 ti-oslo .
 televerket .
 tele .
 no in the short run
and simply configured my SOCKS rclients to point to the external 
name server (server Fwall), and left the internal scheme as it is today 
(completely isolated). The unfortunate thing is that, by doing so, I can't
take advantage of the new version of SOCKS which supports versatile
clients (e.g. can use same ftp image for internal and external
connections, instead of separate "rftp" program).


Here are some thoughts for "priming the cache" of the internal servers.
Can anyone think of something less ugly?


(the following assumes that a server will first try information 
 in its cache before sending queries to another authority):
 
1) prime the cache of the subdomains by adding NS entries in 
   their named.ca for all other internal subdomains (then add forwarders
   command pointing to external server).
2) make all subdomain servers also secondary servers for the 
   parent (then add forwarders command pointing to external server).
3) use subdomain servers for administrative purposes only. Make
   the parent domain also secondary for all internal subdomains.
   Then all clients would resolve only to the parent name servers.



-Karen Krilyk
 Sikorsky Aircraft
 Stratford, CT 
 s30831%dnc @
 utrcgw .
 utc .
 com

Indexed By Date	Previous:	Re: RFC 1597 From: Philip . Gladstone @ mail . citicorp . com (Philip Gladstone)
Indexed By Date	Next:	Re: RFC 1597 From: "Robert G. Moskowitz" <0003858921 @ mcimail . com>
Indexed By Thread	Previous:	Re: Attempt to finger through firewalls causes hangup via ICMP unreachable... From: jpf @ mig . com (Jack Flory)
Indexed By Thread	Next:	show me? From: turching @ mammoth . postech . ac . kr (Jeon Young-min(91))