I think I might not have explained the query well enough ...
so I'll try to do better this time:
We have an application (using TIS proxies) based firewall.
We have an external DNS (small) and an internal DNS (larger).
The external machines share their small info to the world and
use /etc/resolv.conf to query DNS internally. Internal DNS
uses 'forwarders' to be able to access the DNS server on the
firewall (and therefore able to get answers for xxx.foo.com
where foo != us).
I've done mailer rules, mailertables, smart hosts, etc...
I really have the (send)mail area covered.
We hand out our company licensed copies of Netscape preconfigured
to point to http-gw socket on gateway. We put out info (as best
we can) to let people know the "how-to"s of ftp'ing out and
telnet'ing out. But, I worry about those folks who try to
'ftp ftp.foo.com', 'telnet archie.internic.net', and even
'xpilot -join xxx.pilot.no' :)
I think this might be a bit silly -- since I've recently found
that the routing in the company is sucking the packets that
have no where to go. They suck them in on a screend host to
help track down the 'bad address' folks. This is the 'route
of last resort' destination on the net.
If I get them to send back ICMP reject/notify packets, these
users I worry about will get 'no route to host' (as they should!)
as opposed to the 'Trying ...timeout' that they do now.
My mistake -- I queried you all about a network routing goober.
- cheers -