Great Circle Associates Firewalls
(November 1994)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: DNS on firewall? was Re: mail through screened host gateway!
From: mandrews @ Chi . AHC . Ameritech . COM (Mike Andrews)
Date: Tue, 29 Nov 1994 10:33:44 -0600 (CST)
To: Firewalls @ GreatCircle . COM
In-reply-to: <199411290900 . BAA28254 @ miles . greatcircle . com> from "firewalls-digest-owner @ GreatCircle . COM" at Nov 29, 94 01:00:07 am

> From: "Daniel O'Callaghan" <danny @
 www .
 unimelb .
 edu .
 au>
> Date: Tue, 29 Nov 1994 15:00:54 +1100 (EST)
> Subject: Re: mail through screened host gateway!
> 
> On Mon, 28 Nov 1994 gordonj @
 ubs .
 ubs .
 utah .
 edu wrote:
> 
> > I will soon be installing a screened host type gateway with Linux and TIS
> > fwtk.  I have read the fwtk documentation and am still unclear how mail
> > will work through the firewall.  Do you simply allow all mail through the 
> > router and run smap and smapd on the destination machine?
> 
> One way is this:
> 
> Use sendmail instead of smail (or work out how to do the following with 
> smail).
> 
> Machine a.foo is your internal mail host, b.foo is the gateway.
> 
> In DNS use
> 
> foo  IN  A  1.2.3.4
>      MX  10 b.foo
> 
> a.foo IN A  1.2.3.4
> 
> b.foo IN A 1.2.3.5
> 
> On b, use the sendmail rule with comment "If we are the best MX for a host,
> send directly instead of generating local config error".
> 
> So, b runs smap/smapd and sendmail with the above rule, and a.foo holds
> mail for foo as its own.  You might find internal mail going through 
> b.foo with this setup, unless you run different internal and external DNS.
> 
> Another way to do it is to have MX 10 a.foo, MX 20 b.foo, and let the 
> attempt to contact a.foo fail so sendmail will try b.foo.  But that 
> delays the mail maybe a minute, and it is not a nice thing to do to 
> people's log files, when you do know of a neater way.
> 
> ...

Is the multi-MX setup really considered poor DNS manners? That's the
method that's recommended in O'Reilly's "DNS and BIND" bible.

I'm set up that way and I'm not noticing any delays on the reciept of
mail.  I have often monitored the smail log while sedning mail to
myself from a remote site.  I haven't noticed a long delay, but it
*could* be a minute.

While I'm asking, is there anything wrong with setting up the DNS  
books "false root" plan for DNS servers behind the firewall?   
The way I understand it, you create a named.root db on the internal
servers that point to the firewall for root inquiries, while the
the firewall points to the real root servers on the Internet.
I'd like to keep my firewall from sending detail in the internal DNS
setup from Internet inquiries, which means that the firewall 
must have a truncated version of the real internal DNS db's.
I'd still like the firewall to be able to resolve the internal
data for itself without sending it out to the Internet.  Is this
kind of setup secure? Are there any FAQ's that clarify proper
DNS setup on the firewall?

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Mike Andrews                                  mandrews @
 Chi .
 AHC .
 Ameritech .
 COM
Ameritech Health Connections                  Chicago, IL USA
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Indexed By Date Previous: Andy Grove's response to the Pentium bug
From: pomeranz @ TFS . COM
Next: SATAN
From: bmaggio @ lci . com (Bill Maggio)
Indexed By Thread Previous: Re: Andy Grove's response to the Pentium bug
From: Ken Hardy <ken @ bridge . com>
Next: Re: DNS on firewall? was Re: mail through screened host gateway!
From: patrick @ oes . amdahl . com (Patrick Horgan)

Google
 
Search Internet Search www.greatcircle.com