Is it a good idea to put the DNS server installed at the firewall,
even it's just an external name server? If people from the external
network want to access to the perimeter (DMZ) for some business
requirements, then the DNS will have to resolve addresses on the DMZ.
The idea is to protected the internal network from being attacked from
outside. What's about the fake DNS server that Brent Chapman and
Elizabeth D. Zwitcky discussed in the book "Building the Internet
How about putting the DNS server on a dedicated machine (or probably
two to act as a secondary DNS server) on the DMZ to resolve external
addresses and the DMZ ones! The internal DNS server can be set as a
secondary one if someone from the internal network want to access to
the DMZ and vice versa. The firewall is then just configured to
perform IP/Services/ Authorization/Authentication filtering.
______________________________ Reply Separator _________________________________
Subject: Re: Split DNS - Another way
Author: mjr|INTERNET|mjr @
net at MCIMAIL
Date: 2/13/97 1:41 AM
> I have been watching the split DNS discussions and learned a lot of
> the issues, good and bad, for implementing such.
I think a good approach is to turn the problem on its head. What
most folks implement with "split DNS" is actually "split resolving"
which is what you really want! So, suppose I have a firewall on
the perimeter of my network, acting as an external nameserver,
and I have an internal full nameserver: I want the firewall and all
its proxies to resolve all addresses for *.v-one.com against the
internal nameserver and use the Internet for everything else. Turns
out that this hack works just great. My internal nameserver can
slave from the firewall, which has only a few v-one.com names
in it, and the only machine that needs to have DNS magic
installed is the firewall.
I've posted a patch for implementing this against a (somewhat
recent) version of the official bind release. Since the bind releases
change frequently, you may have to do some hand patching but
the code is trivial.
Bind is at: http://www.vix.com/isc/bind/index.html
My patch is at: http://www.clark.net/pub/mjr/pubs/dns/
In the past I have implemented some truly sick and twisted
DNS configurations to try to make "split dns" work right
without having to adjust any code. It's simply a royal pain
in the neck and doesn't work very well. Patching the resolver
code is easy and clean and you can do it without needing
to replace the nameserver -- so for something like a Sun you
just patch the shared library. Clean as a whistle, and it's
easy to test.
Marcus J. Ranum, Chief Scientist, V-ONE Corporation