Great Circle Associates Firewalls
(January 1997) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: RE: DNS Proxy and Internal Root Name Ser
From: Jean-Francois ZWOBADA <zwobada @ apogee-com . fr>
Date: Thu, 02 Jan 1997 20:53:12 +0100
To: firewalls @ greatcircle . com 
At 13:19 02/01/1997 -0600, you wrote:
>I guess I should explain the assumptions I made.  I assumed that you have   
>internal nameservers for you're domain that are not listed as   
>authoritative with InterNIC.  I also assumed that you have already set up   
>an internal *root* nameserver situation that will spoof the internal   
>servers into believing that they are authoritative for the domain even   
>though they cannot, or you don't want them to, communicate with true   
>Internet root nameservers.  What I have just explained is what I and many   
>other people have setup.
>
>The difference I saw was this:  You are using you're internal *root*   
>nameserver to resolve queries.  The internal *root* should not have host   
>data in it and should not be used to resolve names.  It should run with   
>references to the internal nameservers and be listed in these internal   
>nameserver's root.db (or root.cache) file.  No client should be using it   
>for name resolving; they should use the other nameservers that you have   
>setup as primary and secondaries.
>
>If my assumptions are incorrect let me know.
>
>Also, it may be that you have confused the terms 'root' and 'primary'   
>when it comes to nameservers.  Please check to see that this is not the   
>case.
>
>
>Rick
>

Well let me explain my solution:

I assumed that the root name server was needed for linking different internal
domains.

I have an internal root nameserver and internal nameservers.
These servers have a db.cache pointing to the internal root nameserver. And 
client send queries to these servers.

These nameservers need to ask the root for other internal domains but they
also need to resolve Internet names. I dont want my internal root server
to forward these queries to the outside, 'cause it can't since it's a root
server (I mean that it ignores a forwarders & slave configuration).
So my nameservers need to ask someone else for Internet names: my firewall.

To let them decide between asking the internal root or the firewall, I need
to add something, since a 'forwarders' line overrides everything (a father
name server, a child , ...). That's why I use the patch.

I was really confused by your explanation and I am still quite confused... :o)
I don't see why your solution solves the problem... Don't get angry ,
please :o)

Thank you very much

Jean-Francois
Indexed By Date Previous: NT NAT
From: "Jamie Thain" <jthain @ cat . bbsr . edu>
Next: None
From: owner-fw-1-mailinglist @ us . checkpoint . com
Indexed By Thread Previous: RE: DNS Proxy and Internal Root Name Ser
From: "Hicks, Rick" <RHicks @ hussmann . com>
Next: read only disks
From: Rachel Rosencrantz <rachel @ cohiba . predictive . com>
Google
 
Search Internet Search www.greatcircle.com