Setting up DNS in DMZ
jeff donovan
jdonovan at beth.k12.pa.us
Tue Apr 6 12:23:19 UTC 2004
On Apr 5, 2004, at 8:16 PM, Kevin Darcy wrote:
> Tim Stanley wrote:
>
>> I'm looking for examples of a correct way to set up a dns in a DMZ --
>> a
>> hardware DMZ. Not setting up named on a system that has a firewall,
>> but
>> setting up named in the DMZ.
>>
>> Of course, on a firewall, there is the registered ip range, and 2
>> private
>> ranges. The dns is for the registered ip range, however, it is set in
>> one of
>> the private ranges. So, what is appropriate for configuring the dns?
>>
> If your nameserver has an address in a private range, then you'll need
> to do some NAT'ting, of course, in order for other Internet nameservers
> to be able to communicate with it. All of the DNS data you serve to the
> Internet will also need to need to be public addresses, with NAT'ting
> being done as necessary between the HTTP/SMTP/whatever clients on the
> Internet and your servers. Some NATs are smart enough -- or *think*
> they
> are smart enough, but actually get it wrong -- to change
> private-to-public addresses in DNS response packets on the fly. But I
> wouldn't trust that technology. The more traditional approach is to
> implement "split DNS" with internal and external databases for your
> names -- in the "internal" database, the DMZ names would resolve to
> private addresses, and in the "external" database, the DMZ names would
> resolve to public addresses. If you use BIND 9, you could serve both
> the
> internal and external databases from the same nameserver instance, if
> you wanted, differentiating the answers by client source address via
> the
> "view" feature.
Greetings
Kevin gave me the same advise about 2 years ago, and it has worked
great.
Only hickup is managing two databases. After a while it gets pretty fat.
-----------------------------------
jeff donovan
basd network operations
(610) 807 5571 x4
AIM xtdonovan
fwd# 248217
More information about the bind-users
mailing list