Connectivity

[Joseph S D Yao]

> At the risk of sounding stupid, If a firewall disables pinging will this effect
> dns.
> How does dns reachout and touch , lets say a forwarder?

If a firewall disables pinging, it's probably one of the better ones.
;-)  DNS can still work, via a proxy.  Think about it - lots of people
are using firewalls and DNS.  I am right now.

The particular ones with which I am familiar: ANS Interlock uses its
own 'dnsd', a caching-only DNS server.  Gauntlet and FWTK use BIND
itself as the proxy.

The trick is: your firewall has an outer interface, attached to the
Internet, and an inner interface, which the hosts on your protected LAN
can access.  All of your interior hosts should resolve via your
interior DNS server.  If your interior DNS server is not itself on the
firewall, then it should "forward" all queries that it cannot resolve
to the forwarder (named or otherwise) on the firewall's inner interface,
which it can reach, and have the "forward only" option set.  That way,
anything resolving to the interior DNS server can also resolve exterior
Internet addresses.

The firewall itself, since it has interior connectivity, should resolve
to the interior DNS server.

If the firewall is also the exterior DNS server, you should split the
DNS and make sure that the exterior 'named' has a separate config setup
and listens only to the outer interface, while the proxy and/or interior
DNS server only accepts queries from the inner interface.

Hope this helps.

> Stating to feel useless 8-)

;-(  Why????  ;-)

--
Joe Yao				jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support					EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.