nslookup can't but browser can !
Kevin Darcy
kcd at daimlerchrysler.com
Wed Aug 23 01:21:01 UTC 2000
Joseph S D Yao wrote:
> On Tue, Aug 22, 2000 at 08:02:10PM -0400, Kevin Darcy wrote:
> > Joe, You seem to be assuming that the internal clients need to resolve
> > Internet names. If they're behind a proxy firewall, generally they
> > *don't* need this capability, since they can't connect to those addresses
> > anyway. I wouldn't want the original poster to go changing their
> > DNS infrastructure for no good reason...
> >
> > - Kevin
>
> No, I am not assuming this. The original poster started off wanting to
> resolve IP addresses. Agreed, if they are behind a real firewall
> [proxy server instead of filtering router], then they will make small
> use of this.
Not only will they make small use of it, such a change might actually
*break* things, e.g. if they use MX records internally to route mail -- suddenly
internal mail servers are trying to connect directly to Internet addresses.
That's why it's not a step to be taken lightly.
> However, it is very useful for the firewall to be able to resolve
> internal names [for logs, e.g., or rule sets]. And the firewall must
> be able to resolve external names. Therefore it is good for the
> firewall to resolve from inside, and inside to forward to the firewall,
> so that it can resolve external names for the firewall.
Agreed. But firewalls are a special case. The issue of whether "normal" clients
behind a proxy firewall should have visibility of the Internet namespace is in my
mind a separate issue.
- Kevin
More information about the bind-users
mailing list