DNS behind firewall w/NAT, resolve both internal & external(real) IP?
zz at rockstone.com
zz at rockstone.com
Sun Nov 26 09:03:54 UTC 2000
I'd appreciate anyone could comment how to achieve this:
1. Current situation:
A company has an internal LAN about a few hundred of machines,
internally on private ip scheme 172.16.x.x / 255.255.0.0) connected
to internet via an old Cisco PIX firewall (PIX-10000-AC-1024) which
does network address translation (NAT) for those machines needs
to be visible on the Internet. At this moment the ISP is hosting
for the company its DNS to cover those Internet-visible machines,
and the company has its internal DNS covers for internal addressing
only. The main concern is that maintenance is inconvenient to MIS
due to anytime a record need to be changed, they must sent to ISP
a request form in an pre-formated procedures. The ISP sometimes is
not quite responsive. Currently:
MachineA on Internal LAN, behind firewall:
Internal IP: 172.16.1.2 < -Firewall w/NAT-> External IP 207.224.102.130
2. What is the best way?
The company is considering to move its DNS authoritative and manage
the DNS server on its own premises instead of having the ISP do it.
Or perhaps running its own DNS as master as primary authoritative and
let the ISP running slave as secondary.
Now the question comes: Which way is better to implement this
- should the primary DNS sit behind the firewall, or in front of
firewall? The DNS must be able to determine the origin of the query
and resolve external request to real address, and queries from internal
LAN to the 172.16.x.x address.
3. Recommendations or resources?
I'd appreciate your idea including pro and cons, or point to a
resources where I can get an sample configuration. And how to achieve
high availability.
4. High availability - one ISP two circuits or two ISP two circuits?
Sometimes the ISP T1 circuits goes down. So for redundancy purpose, they'd
like to have a backup circuit. Should this be implemented by two routers
via to two different ISP via two circuits running BGP, or some other types
of dynamic routing?
What is the most commonly used load balancing and failure tolerance design
for the least spending?
If two ISP is selected, would the company need two blocks of address assigned
by the two ISPs or only need one set of block ip ?
Is Cisco PIX fail-over bundle a practical answer for circuits failure?
I doubt that because to my impression the Cisco PIX fail-over only backs
up in the event of a firewall failure only, but no protection if circuit
fails the connected ISP router goes down.
Thank you.
More information about the bind-users
mailing list