DNS with firewall configuration assistance required!

[Jon Paterson]

Hi, I have recently been reading "Linux Firewalls" (new Riders) and are 
a little confused by a statement made by the book.  I would be very 
greatful if someone could expand on the configuration / example given by 
the book.


Basically, the recommendation from the book is as follows:

The bastion firewall hosts external DNS for the internet, and is 
configured as the authorative host for the site.  This information is a 
subset of the "real" internal DNS, with only the information that is to 
be presented to the public.  The bastion has no information for any of 
the internal servers.

The bastion does not use its local name server, but instead the 
resolv.conf on the bastion points to the "choke"(LAN) firewall.
All internal (LAN) clients point to the chokes DNS Server.
(so far making sense!)

The choke has the "real" site data, and is also authorative for the site 
(is this allowed / OK?)

now this is where the explaination gets a little vague in the book, it 
says that when the choke server does not have the requested information, 
it queries the server on the bastion, which in turn forwards the query 
to an external name server.


Question are as follows!

Does this mean that the bastion is configured also as a caching 
nameserver?

Would the choke firewall have a forward entry in its conf file pointing 
to the bastions name server?

Would the chokes resolv.conf point to itself (0.0.0.0)?

my understanding of the resolution process is a little grey at the 
moment, so excuse this question if it seems a little stupid...

When the bastion firewall recieves the query from the choke, would it 
not look at its resolv.conf and pass the query back to the choke ending 
in a loop, or does it not use the resolv.conf, (I would really 
appriciate someone explaining this process)


Kind regards,


Jon Paterson.