netscape win behind firewall/dns problem

Tony Langdon tlang at freeway.apana.org.au
Thu Sep 30 11:20:33 UTC 1999 

It's 30 Sep 99  14:35:42,
We'll return to jsdy at cospo.osis.gov and All's
discussion of netscape win behind firewall/dns problem

 > - I need my external DNS for my internet server.
 > - I need my internal DNS for my intranet server and my LAN admin.
 > - I dont want my internal DNS to resolve external adresses.
 > - I dont want my clients to use external DNS.
 > - I dont need my clients to resolve external addresses.

I'm also curious as to the reasons for this.  We use a split DNS system,
with an external DNS advertising only those hosts which are accesssible
to the Internet and an internal DNS which has all of the internal zone
information.  External addresses can be resolved from the internal
network, which is by design, but not vice versa.

 js> I don't know.  I do know that, with that attitude, the boss is likely
 js> to tell you to get rid of the Linux firewall, and get one that works
 js> with "his" systems ... probably running on MSW-NT or something
 js> glorious like that.

:-)

 js> Is Netscape using external DNS?  I haven't studied SOCKS, so I don't
 js> know.  If all it needs is the address of the SOCKS server, surely it's
 js> already getting it from internal DNS.  If it needs external DNS, yoiu
 js> may want to re-consider your reasons for not wanting to allow internal
 js> hosts to "see" external DNS resolutions.  Personally, I can't imagine
 js> why you don't want them to.  It's not a two-way street, if you don't
 js> want it to be.

I'm sure I've had Netscape talking to NEC Socks (sure it supports both
V4 and V5). Must try again (it currently uses our Windows based
proxy/cache, though that will be phased out in favour of Squid
eventually).

 js> We use http-gw from the NAI/TIS FWTK (firewall toolkit) as a proxy,
 js> and not SOCKS.  It is a true proxy, and not an IP packet filter.  It
 js> takes the names of the external hosts, and tries to resolve them from
 js> that point.  Even if we weren't allowing external DNS to resolve [which
 js> we do], it should work.

As should many true proxies.

... Add your favorite Tagline here
--
|Fidonet:  Tony Langdon 3:633/284.18
|Internet: tlang at freeway.apana.org.au
|
| Standard disclaimer: The views of this user are strictly his own.

More information about the bind-users mailing list