> To: Marc .
> Of course a dns is needed on the fw when you are using an application
> gateway firewall,
This is one case where you don't need a DNS server on the firewall, or
anywhere else within you org for that matter. Client connects to
application proxy with request, application proxy uses DNS resolver to get
IP address. DNS resolver can use ISP's DNS server. Of course if you are
using DNS as your LAN nameserver (e.g. you are not using NIS, /etc/hosts or
WINS), then you need the soln. you mentioned below.
> | I found so far two possiblities to solve this problem ...
> | The second is to just forward the dns resolving to a host in the dmz
> | running also the primary external dns there.
Bill Cheswick's trick described in the O'Reilly book. The intention being
to stop random ports having to be opened on the firewall to internal
resolvers. The forward requests always being made on port 53 between two
known (trusted?) systems. Works with BIND but perhaps not with all
implementations of DNS.