Firewalls: Re: NAT and DNS ?

Firewalls
(February 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: NAT and DNS ?
From:	Irwin Lazar <lazar @ netevolve . com>
Date:	Wed, 26 Feb 1997 10:49:37 -0500
To:	Joerg Kummer 41 61 68 88132 <JOERG . KUMMER @ Roche . COM>
Cc:	firewalls <firewalls @ GreatCircle . COM>
In-reply-to:	<E2128ISN39BE2*/R=RBACRXA1/R=ROCBI/U=KUMMERJ/@MHS>

Joerg,
You should be able to make a static entry in your firewall that will assign
a permanent public IP address to the private IP address that is used by
your WWW server.  You would then list this public address in your DNS.

Irwin.


At 03:06 PM 2/26/97 +0100, Joerg Kummer 41 61 68 88132 wrote:
>Let me re-phrase the question:
>
>We plan to attach a network to the Internet via a RFC1631 NAT/fw.
>There is a resource (e.g. WWW server) which is used by internal and Internet
>users. The resource is attached to the internal network. The DNS name of the
>resource should be the same for internal and Internet users.
>
>Q: How could DNS be set up ? 
>   Is it a good approach to establish separate DNS 'namespaces'/servers -
>   one for internal and one for Internet users - which resolve the same name
>   to different IP addresses.
>
>   If so, is the method described in the FAQ a good way ?
>   (The FAQ describes DNS hiding of internal hosts which seems to be a very
>   similar problem)
>
>Unfortunately RFC1631 does not cover DNS issues...
>
>regards
>          joerg
>________________________________________________________________
>Any NAT model which relies on DNS is a horribly flawed approach.
>It is critical, especially for security related reasons, that
>address translation happen at the network layer. See RFC1631.
>While RFC1631 doesn't specifically discuss security issues, it
>discusses a framework for address translation.
>
>- paul
>
>At 08:32 AM 2/26/97 +0100, Joerg Kummer 41 61 68 88132 wrote:
>
>>Can anybody point me to information/papers regarding NAT and DNS, split DNS
>>problems etc.
>>
>>Problem: How is DNS set up to deal with a NAT fw which allows inbound
>>and outbound connections i.e. with internal hosts which have a local
>>AND (through the NAT) a global address. 
>>
>>Would it be the same as described in this list's FAQ ('How do I make DNS
work
>>with a firewall?') with different A records for the specific hosts on the
>>internal/external servers ?
>>
>>If yes:
>>   Why does the FAQ method filter DNS requests - to prevent internal DNS
>>   servers or DNS clients to learn about the public representation of the
>zone
>>   (e.g. via named.cache hints or wrong resolv.conf entries) ?
>>
>>   Why does resolv.conf of the external DNS server have to point to the
>>   internal server ?
>>
>>thanks
>>            joerg
>>
>>
>
>
>--
>Paul Ferguson                                           ||        ||
>Consulting Engineering                                  ||        ||
>Herndon, Virginia   USA                                ||||      ||||
>tel: +1.703.397.5938                               ..:||||||:..:||||||:..
>e-mail: pferguso @
 cisco .
 com                         c i s c o S y s t e m s
>
>
>
<><><><><><><><><><><><><><><><><><><><><><><><><><><>
Irwin Lazar                                       	IP Networking References - 
Network Evolutions, Inc.		http://www.netevolve.com/lazar
http://www.netevolve.com
lazar @
 netevolve .
 com

References:

Re: NAT and DNS ?
From: Joerg Kummer 41 61 68 88132 <JOERG . KUMMER @ Roche . COM>

Indexed By Date	Previous:	Re: NAT and DNS ? From: Dennis Morton <Dennis_Morton @ INS . COM>
Indexed By Date	Next:	Re: Stack overflows in firewalls From: "Bruce D. Wilner" <bdwilner @ nsli . com>
Indexed By Thread	Previous:	Re: NAT and DNS ? From: Steve Kennedy <steve @ gbnet . org>
Indexed By Thread	Next:	Re: NAT and DNS ? From: Paul Ferguson <pferguso @ cisco . com>