DNS & PIX setup question

Tue Apr 12 22:42:45 UTC 2005

Tim Cantin wrote:

>Background:
>
>I have two class B networks separated by a firewall. One network is public
>(149.130/16) and the other is private (172.17/16). There's a pair of bind8
>named's running on the 149.130 network which have no notion of the 172.17
>network. Each server on the 172.17 network has a hosts file, and for everything
>else they use the dns servers on the 149.130 network as their primary dns. (The
>nsswitch.conf has hosts,dns for name resolution.)
>
>Plans:
>
>We're switching to a Cisco PIX firewall, and introducing the use of the Cisco
>vpn client. Soon clients on the 149.130 network will connect via vpn to use
>services in the 172.17 network, and thereby get a 172.17.x.x address for the
>vpn adapter. 
>
>Problem:
>
>The PIX needs to tell the vpn clients a dns server to use which resolves to
>172.17 addresses where appropriate. I don't want to create a copy of our
>existing dns servers behind the firewall, and keep both locations up-to-date.
>Both networks think they are wellesley.edu (maybe that's my problem).
>
>Any ideas? I've tried about 6 or 8 theories, but I didn't want to cloud my
>initial posting explaining them (and their failures) -- but I gladly will if
>you're interested
>
I assume the VPN clients will be able to access 149.130/16 resources 
*and* 172.17/16 resources, right (?), so-called "split-tunnel", 
otherwise this is a fairly trivial problem (i.e. just point the VPN 
clients at a nameserver that serves only 172.17/16 addresses, since 
that's all they care about anyway).

I assume further that you have no option to segregate your 172.17/16 
resources by subdomain. If so, then that would also make the problem 
rather trivial -- just have the 149.130/16 nameservers serve the 
subdomain as a subzone, optionally with an "allow-query" that would only 
permit clients in the VPN address-pool range.

If those options aren't available to you, then I don't see any way for 
you to avoid biting the bullet and having to maintain both 149.130/16 
and 172.17/16 data in at least one version of the wellesley.edu zone. 
You might be able to save yourself some maintenance headache by hosting 
the "VPN" version of the zone from the same nameserver instance as the 
"non-VPN" version, differentiating using the "view" feature, and then 
sharing the common data between views via an $INCLUDE file. But the 
bottom line is you would need duplicate some of the data in multiple 
places (nameservers, instances or views), and it sounds like that's 
exactly what you're trying to avoid...

- Kevin