I'm considering something somewhat analagous/similar. I want an
internal-only DNS server that corporate clients go to first to resolve
hostnames. If it's not our domain, it forwards to the outside.
On the other hand, this same server never gets any initiated requests
from the outside. Instead, I want there to be a server that *is* visible
to the outside that has about 10 hostnames/addresses visible to the
outside. This list would be kept manually, and it could be the ISP that
hosts it for us.
----------
From: Kurt Kessel
Sent: Wednesday, February 12, 1997 6:22 PM
To: firewalls
Subject: Spit DNS - Another way
I have been watching the split DNS discussions and learned a lot of
the issues, good and bad, for implementing such. As I am beginnging to
resolve our own companies issues, I thought of another deviation of
the split DNS issue without any of the drawbacks normally associated
problems.
What if a company let the ISP be the primary DNS for the public network,
say mydom.com. Their internal DNS remained the primary for their internal
domain, again mydom.com. The trick would be to configure the firewall as
a DNS client of both DNS servers (ISP and internal). With the use of
proxies and filtering on the FW, no DNS leakage should happen. The
proxies
should be able to resolve doman names as needed.
This also has the advantage of removing the DNS load off of the firewall
and letting my ISP or existing internal server handle that traffic.
Now does anybody see any holes in this? Is the concept sound, but
implementation flawed? Any discussion/comments would be appreciated.
Kurt Kessel EMail: kkessel @
hteinc .
com
Systems Consultant/Webmaster WWW: http://www.hteinc.com
HTE, Inc. Voice: 407-841-3235
Solutions for Government & Utilities Fax: 407-246-8835
|
|
