> For those of you with split DNS
> ( small external DNS primary for XXX.com, resolv.conf points to
> internal DNS servers who are primary for XXX.com and have
> forwarders to the gateway to resolve external names)
Nope. Split DNS where they really are _split_ ie. _no_ DNS traffic
through the firewall. I decided on this not so much to hide info, but
to not make the internal network (which has been running unconnected
for years) suddenly dependent on external services.
Given that after a week of being connected to the local corner of the
Internet, we can still only reach half the root servers named in
named.cache and that there are _no_ root servers in this country! -
and the link from U.S. to OZ was down the day we connected, the above
choice seems pretty sound :-)
Also the client wants to be able to simply shutdown the interface to
the Internet if they feel threatened. This would be tricky to do if
that meant they suddenly could not resolve their own internal hosts
:-)
> or is your firewall an application level firewall ?
> So, joe_user @
yy .
XXX .
com can NOT 'ftp foo.com', they
> have to 'ftp gateway.XXX.com' (TIS) or SOCKS their
> way out ?
Yep. We use TIS, SOCKS currently appears to require the internal
hosts be able to resolve names even though they cannot reach them.
> If you are application level, how do you deal with the
> problem that internal mailers, network client programs, etc
> can resolve A and MX records for "out there" -- but these
> same client programs can NOT connect to those addresses ?
No problem at all. If sendmail cannot resolve a name it just
forwards it to a relay host. That relay host _knows_ that anything
not bound for a domain on the inside net, must be passed to the relay
on the other side of the firewall, who then uses normal MX's to work
out delivery.
To do this, you must configure internal root servers to claim
authority for each domain above your own. Eg, for foo.com.au, you
need to claim authority for .,au. and com.au. as well as foo.com.au.
Thus when nameservers lookup host.bar.com.au. they quickly get a
no-such guy type answer and sendmail punts to the relay host.
Of course you also need to make sure that your external mailhost is
setup to not lookup MX records for the internal domains, but to just
forward to the inside relay.
So, no big deal. The sendmail setup is pretty straight forward, and
keeping the DNS's _totally_ split is simplicity itself.
Now (one day) I just have to modify SOCKS such that if the client can
resolve a name it knows it can connect directly, otherwise it uses
goes to sockd on the proxy host. This would allow a single client to
work inside and out, without unnecessary load on the proxy...
--sjg
Follow-Ups:
References:
|
|
