Help with Setting up a DNS Behind a Firewall...

[Kevin Darcy]

Scott Townsend wrote:

> I've set up a firewall and now I need to set up the internal DNS for use
> behind it.
>
> I'm pretty sure it needs to be a primary. I guess I would not want to
> transfer from the outside DNS to the inside & vise versa.  I'm concerned
> about the domains that exist on the outside and the Inside of the Firewall.
> Specifically with mail.  I'm still going to need a copy of each of the
> domains that our Mail server services on the inside as well as on the
> outside right?  Even if there are no physical machines? Or should I just let
> it query the outside server and then have it come back to the Mailserver.
>
> On the internal machines do I only want the one internal DNS Server Listed?

What kind of firewall? Is it the "routing" kind, e.g. Firewall-1, or the
"proxying" kind, e.g. Gauntlet?

Do your internal clients need the ability to resolve Internet names (often not
necessary when behind a "proxying" firewall)?

Do you want to hide your internal DNS data?

What kind of mail routing architecture do you have, is it DNS-based, and, if
so, what view (vis-a-vis internal versus external) of DNS does your mail server
have?

I hesitate to attempt an answer, given so many uncertainties. About the only
thing I can say for sure is that if you want to maintain two different copies
of any given zone, you need two nameserver instances to be master for it
(although it is always possible to have one of them be an "automatic" master
that is just fed by the other using some sort of data filtering-and-propagation
mechanism).


- Kevin