Firewall and DNS Forwarders

Måns Nilsson mansaxel at bartlet.df.lth.se
Wed Oct 6 18:06:31 UTC 1999 

In article <199909291929.NAA12284 at llama.swcp.com>, Bill Larson wrote:
>I have a situation where we ***REALLY*** need to block most all DNS
>traffic from going through our firewall.  At the same time, we still
>need to support DNS queries from inside the firewall to outside
>servers.  The firewall would be programmed to only allow traffic to, or
>from, a specific set of name servers that management controls.  For
>users that run their own name servers, they will have to be
>re-configured as forwarding name servers using the name servers that we
>are managing as possible forwarding destinations.
>
>I can imagine three possible solutions to our situation by configuring
>sets of name servers on one side or the other of the firewall (or
>both), and limiting port 53 traffic to be either originating from, or
>destined to, these servers.  In all situations, NO DNS queries would be
>allowed that initiate from outside of the firewall destined for an IP
>address inside the firewall.  Possible setups include:
>
>    1.  Have a set of name servers on the inside and have the firewall
>	limit outgoing DNS traffic originating from only these
>	servers.
>
>    2.  Have a set of name servers on the outside and have the firewall
>        limit outgoing DNS traffic to only these servers.
>
>    3.  Have a set of forwarding name servers on the inside which
>	forward to a set of name servers on the outside and have the
>	firewall limit DNS traffic to only traffic between these two
>	sets of servers.

I'd do it like TIS Gauntlet does: 

	(This setup assumes that you do not run 
	 internal root. Some organisations do. )

On the firewall, install BIND. 

Configure the ruleset on the firewall to let queries in. 

Configure BIND to accept queries from selected (or all) interfaces. 

Optionally, limit queries even more by specifying which hosts 
that may ask. 

Point the internal resolve servers to the firewall inside with 
forwarding directives. 

Since the BIND daemon on the firewall sits between in- and outside
you practically get a DNS query proxy, though not transparent. 
No UDP or TCP traffic needs to transverse the firewall, which makes 
this setup extra nice for NAT or otherwise un-routed situations 
(with RFC1918 networks on the inside.) 

-- 
Måns Nilsson 					MN1334-RIPE	
www.df.lth.se/~mansaxel for details		GSM 070 8344045

Can you MAIL a BEAN CAKE?

More information about the bind-users mailing list