DNS with firewall configuration assistance required!
Jon Paterson
jpaterson at itchannel.net
Mon Jun 12 09:30:02 UTC 2000
Hi, I have recently been reading "Linux Firewalls" (new Riders) and are
a little confused by a statement made by the book. I would be very
greatful if someone could expand on the configuration / example given by
the book.
Basically, the recommendation from the book is as follows:
The bastion firewall hosts external DNS for the internet, and is
configured as the authorative host for the site. This information is a
subset of the "real" internal DNS, with only the information that is to
be presented to the public. The bastion has no information for any of
the internal servers.
The bastion does not use its local name server, but instead the
resolv.conf on the bastion points to the "choke"(LAN) firewall.
All internal (LAN) clients point to the chokes DNS Server.
(so far making sense!)
The choke has the "real" site data, and is also authorative for the site
(is this allowed / OK?)
now this is where the explaination gets a little vague in the book, it
says that when the choke server does not have the requested information,
it queries the server on the bastion, which in turn forwards the query
to an external name server.
Question are as follows!
Does this mean that the bastion is configured also as a caching
nameserver?
Would the choke firewall have a forward entry in its conf file pointing
to the bastions name server?
Would the chokes resolv.conf point to itself (0.0.0.0)?
my understanding of the resolution process is a little grey at the
moment, so excuse this question if it seems a little stupid...
When the bastion firewall recieves the query from the choke, would it
not look at its resolv.conf and pass the query back to the choke ending
in a loop, or does it not use the resolv.conf, (I would really
appriciate someone explaining this process)
Kind regards,
Jon Paterson.
More information about the bind-users
mailing list