On Sat Mar 7, 1998, Matthew Patton <patton @
sysnet .
net> wrote:
>
> somebody else wrote:
> >> Hello fellow firewallers,
> >> ...
> >> after having built some firewalled networks with FWTK and split-DNS with
> >> BIND-4.9.5 ...
>
> IMO, you'd be smarter to run 2 intances of bind 8.1.1 on the bastion and
> chroot each of them to their own little space ...
>
I wonder why not set up a primary DNS inside the firewall, and a limited
secondary on the DMZ. Use the primary to download a modified (controlled)
file to the outside where the outside DNS only receives input from the inside
machine, and the firewall only passes an originating messages from the inside
to the outside machine. This file only shows the limited values you can live
with on the DMZ (publicly available). and loads them into instance one.
A second set of values in loaded into instance two on the DMZ machine. This
becomes the secondary DNS for your inside folks going out. It can point to
your ISP DNS machine for remote addresses. Inside addresses are resolved on
the internal primary machine, and never get to the DMZ at all.
Make sense? Fair amount of work, though.
Have fun,
Bob De Witt,
rdew @
el .
nec .
com
The views expressed herein are my own,
and are not attributable to any other
source, be it employer, friend or foe.
|
|
