I have a question on setting up DNS for a dual-homed gateway firewall. A
simplified diagram of part of our network would look something like this:
[modems] <---> [comm server] <---> [router] <---> [gateway] <---> [LAN]
There are a few services which are running on the gateway which both users
on the LAN and on dialup need to get to. There is no access from the modems
directly to the LAN, since not all of the dialup users should have access
to any of the machines on the LAN.
What we have now: There is a separate DNS for users on the LAN, which translates
the names of the services on the gateway to the ip address of the internal
interface. (e.g., mail.foo.com -> 22.214.171.124). There is also another DNS for users
on dialup, which translate the names of the services on the gateway to the ip
address of the external interface. (e.g., mail.foo.com -> 126.96.36.199). Laptop
users can point at one DNS while on the LAN, and the other while coming in from
dialup, and can therefore keep their application settings the same (mail is
always read from mail.foo.com).
What we would like: Some method, preferably without adding any new
hardware, to use one DNS server for both LAN and dialup. I've tried a test
(using BIND 8) where the name had two A records. This worked for the most
part, but suddenly the wrong ip address was consistently returned while
It sounds like address sorting might help here, but I've been told that address
sorting is no longer a part of BIND in version 8. And, I'm not sure how it would
handle dialup users, who do not directly share a network with the gateway
Is there any way to use one DNS on the central gateway machine (along with
secondary name servers both inside and outside the firewall) ?