Internal roots and Internet access ?
Seifert, Reinhold (EDP Sys.)
Seifert at seeg.sharp-eu.com
Mon Mar 25 15:43:56 UTC 2002
> -----Original Message-----
> From: William J. Stacey [mailto:staceyw at ameritech.net]
> Sent: Saturday, March 23, 2002 3:26 PM
> To: Seifert at seeg.sharp-eu.com
> Subject: Re: Internal roots and Internet access ?
>
>
> Hi Seifert.
> I am curious about this and have a few questions if you don't mind:
Sure.
> 1) How does changing from proxy to packet filtering effect your DNS?
> Are the clients using the proxy for DNS today, or are they pointed to
> their local DNS which forwards (via root hints) unknown queries to the
> hq roots?
Today, internal clients (including name servers) have *no* direct internet
access. Anything (ftp,http, smtp,...) destined for the Internet is just
passed on to the proxy firewall. The firewall, as a proxy, does external
name lookups on behalf of the clients (the firewall knows what's internal
and external).
Now, with a packet filter this is different because its only task is to
decide whether the packet is allowed or not depending on the filter rules.
There is no proxy functionality - therefore the client already needs to
lookup
the external name/address. Basic network routing (BTW, this is another issue
when changing the firewall "type") will route these packets to the firewall.
If source/destination/port is "ok" then the *client* is allowed to make the
connection.
> 2) These hq "root" servers are not configured as real roots are they?
> If so, how do they forward unknown INET queries to the INET?
They *are* real root name servers, but internal only. As described above,
they don't need to know anything about the bad-bad-Internet.
> 3) Why do you put the HQ servers in root.hints on the remote
> DNS servers instead of forwarding to HQ server?
Actually that was based on recommendations in the "DNS&BIND" bible by
Cricket Liu & Paul Albitz. I have not checked whether this is still the
case in the 4th Ed., but at that time they clearly preferred the internal
roots over forwarding.
Anyway, that setup serve{s|d} our (not so small) environment quite well.
-Reinhold
>
> Maybe I can help if I understand your environment a little better.
>
> --
> William Stacey, MCSE
> Microsoft MVP (Windows 2000/NT Server)
>
>
> "Seifert, Reinhold (EDP Sys.)" <Seifert at seeg.sharp-eu.com> wrote in
> message news:<a7bjln$oii at pub3.rc.vix.com>...
> > Hi all,
> >
> > I'm sure this has been asked several times (therefore I apologize),
> > but still I have no clue whatsoever how to solve my DNS problem I
> > describe below, even though I looked through the list archive ...
> > therefore I ask.
> >
> > Background:
> > Currently, we have a proxying firewall. None of the
> internal clients
> > and nameservers have direct Internet access. In our headquarter we
> > have two internal *root* name servers
> > which delegate directly from root to "ourdomain.com." Two
> other boxes
> run
> > the master
> > and slave DNS for "ourdomain.com".
> > Other (also internal) offsite locations connected via LAN/WAN to the
> > headquarter run
> > their own DNS for the corresponding subdomain, e.g.
> "xyz.ourdomain.com", as
> > master.
> > For redundancy reasons the name servers in the headquarter
> are slaves
> for
> > those
> > subdomains. All internal name servers use a "db.cache" root
> hint that
> points
> > at the
> > headquarter's internal root name servers.
> >
> > Now we are going to replace our proxying firewall by
> packet-filtering
> > firewalls. This introduces the need that at least part of
> the internal
>
> > clients will be able to
> > resolve Internet names.
> >
> > That is the point where I'm stuck. Is it possible to keep the
> > "internal roots" concept ? I have read anything between "Nope, now
> > way" and "Yes, but tricky". The main reason I am asking is
> because I
> > have almost no control over the DNS at the
> > offsite locations. If at all possible I would like to avoid
> to change
> the
> > various DNS
> > (NT/W2k DNS, Novell, BIND 4.8, 4.9, 8.x ..) setups over there.
> >
> > Any help/comments/hints is very much appreciated.
> > Thanks,
> >
> > -Reinhold
> >
> >
> >
> >
>
More information about the bind-users
mailing list