Firewall / Internal Lookup Configuration Question

Hekimian, David David_Hekimian at GENEVACO.COM
Mon Feb 14 19:51:31 UTC 2000 

*Resent due to errors - Sorry*

I believe I have done sufficient research to come to my configuration. I
have look at some recent discussions and read the DNS and BIND book but I
still don't feel comfortable with the solution I'm trying to implement. I
think there is a simpler or standard approach that I am over looking.

Please excuse my ignorance in the subject, I'm new to DNS.

Configuration:

Inside Firewall - DNS A & DNS B
Outside Firewall - DNS C

On DNS A I run Windows NT 4.0 with NT DNS, DHCP and WINS for DNS -> WINS
recursive queries for internal hosts. This server runs as a secondary for
domain XYZ.COM allowing for queries that are not in the database (I.E.
internal machines) to be resolved via WINS but forwards all other queries to
DNS B (Microsoft's DNS implementation has problems looking up some Internet
address... )

On DNS B I'm running RedHat 6.1 upgraded with Bind 8.2.2-P3 from RedHat's
updates. This is my Master nameserver for all my domains including XYZ.Com.
This server has only external addresses listed.

DNS C is my ISP's DNS. This server runs as Published Primary for my domains.

XYZ.com is my companies main domain name. It is used for our external
website www.xyz.com and for our internal servers exchange.xyz.com.

Problem:

The Firewall (Cisco PIX v5.0(3)) does not allow internal clients
(172.16.0.0) to connect to local external addresses of which the Firewall
translates. (My webserver sits inside the firewall DMZ. The firewall has a
static address, mapping the external address to the internal DMZ address)
When a user queries DNS A it returned the external address for the webserver
and the client times out as the firewall blocks the address.

Questions:

1. Should I change DNS A to be a master for XYZ.com and put only local
addresses and forward all queries to DNS B?

2. Can I setup DNS B to use a different database / view for internal
queries?

3. Am I missing some piece of logic which makes this much simpler?

- David Hekimian
mailto: David_Hekimian at NoSpam.Genevaco.com

More information about the bind-users mailing list