Great Circle Associates Firewalls
(September 1997) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Fwd:Public/Private DNS
From: "Paul D. Robertson" <proberts @ clark . net>
Date: Thu, 18 Sep 1997 13:12:07 -0400 (EDT)
To: dcostello @ cmol . com
Cc: Firewalls @ GreatCircle . COM
In-reply-to: <9709178745 . AA874504281 @ mail . cmol . com> 
On Wed, 17 Sep 1997 dcostello @
 cmol .
 com wrote:

> I know this isn't a firewall question but it is related to security so I thought
> this might be a good place to ask it.  In building my security solution, one of
> the pieces I want to put is place is a private or non-public DNS.  The purpose
> of it would be to resolve inside the firewall only and not be accessible
> outside.  I still would have my public DNS that would resolve public resources
> for my organization.  I guess my question is how do I set it up so that my
> internal stations can resolve externally as well as internally but that internal
> resources don't resolve anywhere but behind the firewall.  I know what I want to
> do but I'm not sure if I explained it correctly.  I've seen firewall solutions
> that claim they can do this but I'm not sure if I want to combine all these
> functions into one product, one box or one vendor.  The other kicker is we are
> running NetWare and, oh god I hate to say it, NT.  Before everyone jumps on me,

Run the external DNS, and allow anyone to connect to it.  Allow the
internal DNS to use the external as a forwarder, and make it authoritative
for it's internal zones, but don't let the external DNS know about the
internal zones.  Don't allow anything but the external DNS to talk UDP to
the internal DNS.  Make sure you've got anti-spoofing rules in your
screening routers, etc.

> I know it sucks, it's a security joke and all the rest, some choices we don't
> make but have to live with (you can pick your friends but not your family).  I'm
> not against putting in a UNIX based solution if I need to.  Any help would be
> appreciated.

I'd suggest running the NT port of BIND if you're stuck with NT, the
absolute latest version you can obtain.  NT port is available in the usual
BIND place, different subdirectory AIR.  

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts @
 clark .
 net      which may have no basis whatsoever in fact."
                                                                     PSB#9280
References:
Indexed By Date Previous: Re: the down sides to NAT?
From: blast <blast @ broder . com>
Next: Re: cisco localdirector and firewall
From: Joseph Iacovelli <wolfboy @ earthlink . net>
Indexed By Thread Previous: Two Firewalls (Firewall1)
From: Gaddy Gumbao <succesor @ mnl . sequel . net>
Next: Public/Private DNS
From: Domenico Viggiani <mimmo @ diemme . it>
Google
 
Search Internet Search www.greatcircle.com