On Wed, 12 Feb 1997, Marcus J. Ranum wrote:
> > I have been watching the split DNS discussions and learned a lot of
> > the issues, good and bad, for implementing such.
> I think a good approach is to turn the problem on its head. What
> most folks implement with "split DNS" is actually "split resolving"
> which is what you really want! So, suppose I have a firewall on
> the perimeter of my network, acting as an external nameserver,
> and I have an internal full nameserver: I want the firewall and all
> its proxies to resolve all addresses for *.v-one.com against the
> internal nameserver and use the Internet for everything else. Turns
> out that this hack works just great. My internal nameserver can
> slave from the firewall, which has only a few v-one.com names
> in it, and the only machine that needs to have DNS magic
> installed is the firewall.
This is correct, the issue is resolving and which DNS server is used by
whom for what.
My question is: why is a patch needed? If there is an external DNS server
in the DMZ that knows only the DNS info on what is externally
visible, and the firewall forwards DNS packets from external to DMZ and
back but never internal <--> external or internal <--> DMZ, then why can't
the firewall simply run a resolv.conf file that points to the internal DNS
Natasha: Black RX-7 R1