You should be able to make a static entry in your firewall that will assign
a permanent public IP address to the private IP address that is used by
your WWW server. You would then list this public address in your DNS.
At 03:06 PM 2/26/97 +0100, Joerg Kummer 41 61 68 88132 wrote:
>Let me re-phrase the question:
>We plan to attach a network to the Internet via a RFC1631 NAT/fw.
>There is a resource (e.g. WWW server) which is used by internal and Internet
>users. The resource is attached to the internal network. The DNS name of the
>resource should be the same for internal and Internet users.
>Q: How could DNS be set up ?
> Is it a good approach to establish separate DNS 'namespaces'/servers -
> one for internal and one for Internet users - which resolve the same name
> to different IP addresses.
> If so, is the method described in the FAQ a good way ?
> (The FAQ describes DNS hiding of internal hosts which seems to be a very
> similar problem)
>Unfortunately RFC1631 does not cover DNS issues...
>Any NAT model which relies on DNS is a horribly flawed approach.
>It is critical, especially for security related reasons, that
>address translation happen at the network layer. See RFC1631.
>While RFC1631 doesn't specifically discuss security issues, it
>discusses a framework for address translation.
>At 08:32 AM 2/26/97 +0100, Joerg Kummer 41 61 68 88132 wrote:
>>Can anybody point me to information/papers regarding NAT and DNS, split DNS
>>Problem: How is DNS set up to deal with a NAT fw which allows inbound
>>and outbound connections i.e. with internal hosts which have a local
>>AND (through the NAT) a global address.
>>Would it be the same as described in this list's FAQ ('How do I make DNS
>>with a firewall?') with different A records for the specific hosts on the
>>internal/external servers ?
>> Why does the FAQ method filter DNS requests - to prevent internal DNS
>> servers or DNS clients to learn about the public representation of the
>> (e.g. via named.cache hints or wrong resolv.conf entries) ?
>> Why does resolv.conf of the external DNS server have to point to the
>> internal server ?
>Paul Ferguson || ||
>Consulting Engineering || ||
>Herndon, Virginia USA |||| ||||
>tel: +1.703.397.5938 ..:||||||:..:||||||:..
>e-mail: pferguso @
com c i s c o S y s t e m s
Irwin Lazar IP Networking References -
Network Evolutions, Inc. http://www.netevolve.com/lazar