Hello,
Your internal clients don't need to have access to external
DNS if they make all connections through non-transparent proxies.
In fact, they also don't need to have a default route pointing through
the firewall in this case.
Example: if the user's browser points at the firewall/proxy
server to access web pages, his/her browser only needs to be able
to resolve the host name for the proxy server. The browser will
make a request to the proxy for "GET http://www.lists.gnac.net/
HTTP/1.0", and only the proxy server needs to be able resolve the
host name www.lists.gnac.net. In this case, however, some auto-
completion features of newer web browsers don't work, such as being
able to type in just "sun" and end up at "http://www.sun.com/".
<sarcasm>Big loss...</sarcasm>
Just tell all of your users that they need to setup their
HTTP proxy as "http-proxy.internal.domain", their FTP proxy to
"ftp-proxy.internal.domain", etc.. Internal mail servers that need
to send mail to the 'net should have their "smart host" set to the
mail proxy. If you want to be really slick, you can put an "automatic
proxy" configuration file on an internal web server that contains
all of the end-user browser proxy configurations. In this case,
the users' web browsers only need to be configured with one URL,
and you can centrally manage the proxy configurations for everyone
in your company. You can also setup automatic fail-over....
Have fun,
- djg
Chris wrote:
> At 12:13 PM +1300 3/2/99, Jason Haar wrote:
> >I'm setting up a proxy-based firewall, and am tossing up between only
> >allowing the DMZ hosts to have access to Internet DNS servers, or allowing
> >the internal DNS servers to forward to the DMZ DNS server. The latter would
> >then allow internal users to lookup Internet hosts - even though they
> >couldn't then connect to them.
>
> Jason, unless your internal hosts run blind, they're still going to need
> to have access to the information provided by Internet DNS servers,
> regardless of how that information is forwarded though your DMZ DNS
> servers, which is the way to go. Without knowing more about your setup,
> I'd wonder how could you NOT allow "the internal DNS servers to forward
> to the DMZ DNS server."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
