dmz

[Kevin Darcy]

Well, I'm assuming that your firewall is some kind of NAT'ing one, since
this would be a very odd setup for a proxy firewall. Given that, couldn't
you do all of this with NAT rules, and not have to touch DNS at all? I.e.
the internal clients would use the external address of the webserver,
which the firewall would NAT to the DMZ address.

Failing that, you need some form of "split DNS" where you maintain two
different versions of your domain, one for internal consumption, and one
for external consumption. This *may* require you to run multiple
instances of "named", but if the DNS server in the DMZ can
*differentiate* requests from internal clients, then you could use
BIND 9's "view" mechanism to serve up different versions of the zone
based on which clients it was answering.

Even if you're using BIND 8, if the DMZ DNS server has multiple
interfaces -- maybe you could configure a "virtual" interface for this
purpose -- you could run multiple nameserver instances on the same box.
This is a little tricky -- it requires careful configuration of the
"listen-on", "pid-file", and other named.conf parameters, as well as the
startup scripts -- but it can be done (in fact we do it here).

Failing that, your "internal" nameserver instance could be a completely
separate nameserver behind the firewall, or one which runs *on* the
firewall itself, but for security reasons only answers queries from
internal clients.


- Kevin

muahahaa at my-deja.com wrote:

> I have a domain that looks like this:
>
> Internet
>     |
>     |
> firewall ------ dmz 192.168.x.x
>     |                    |
>     |           dns 192.168.1.2
> 192.168.x.x              |
>     |                    |
> clients         web/mail 192.168.1.3
>
> How do i configure the master so that i resolves the correct ip adress
> for the webserver from the clients on the inside?
> from outside it works just perfect....