That Firewalls book people were talking about a while ago has a very lucid
explanation of the split or "fake" DNS model. Get it, read it.
To fill in some blanks about the basic setup before Roger's advice kicks in:
You run two DNS boxes. One is your Public DNS and one is your Private DNS.
The Public box is visible to the outside world, and contains sanitised info
about the inside of your domain. Do what Roger said RE: reverse mappings to
fill your address space. Lots of firewalls will let you run the public DNS
on it, although some people recommend that you use a separate box.
This server forwards queries through to your next-in-line DNS. It does NOT
repeat NOT use itself for its own queries - it uses the Internal DNS. It's
probably bad for this server to cache. You want requests to always go
through this server to the upline DNS, to lower the chances of cache
poisoning. In other words it's just a proxy for outgoing requests.
The Private DNS sits behind your internal firewall (not in the DMZ). All
internal users use this as their one and only DNS. It will forward queries
to the External DNS (well, that's one way to do it). Nobody in the outside
world should ever have occasion to talk DNS to this server. It's fine for
this guy to cache, since the responses have not been obtained from our
suspect Public DNS box.
Both the DNS servers think that they're the authoritative server for the
domain.
Now, this next bit I'm hazy on, so if any gurus read through the basic stuff
above, they can fill me in.
There's a thing called double reverse lookup, which I'm pretty sure is done
by smart DNS servers. Say you do somehow get a bad entry put into a DNS
cache along the path, telling you that www.happyland.org
<http://www.happyland.org> is at 140.6.6.6. Double reverse lookup will take
every IP address, and think "Hmm...I might just check this" and find the
in-arpa PTR record for that IP address. In this case, lo and behold it turns
out to be hax0r.sinville.edu.
As Chris said, there may be other issues depending on what your front line
firewall setup is.
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
Direct Dial: (08) 8422 8319 Mobile: (0414) 411 520
-----Original Message-----
From: Rao, Prashanth [SMTP:[EMAIL PROTECTED]]
Sent: Monday, April 12, 1999 9:45 AM
To: 'Roger Books'; Tally
Cc: [EMAIL PROTECTED]
Subject: RE: DNS in the DMZ
Hi,
How about considering Hidden DNS or Split Domain Name services
(Firewall
acting as virtual DNS server for the external world)
prashanth
> -----Original Message-----
> From: Roger Books [SMTP:[EMAIL PROTECTED]]
> Sent: Saturday, April 10, 1999 5:48 AM
> To: Tally
> Cc: [EMAIL PROTECTED]
> Subject: Re: DNS in the DMZ
>
> On 9-Apr-99 at 16:09, Tally ([EMAIL PROTECTED]) wrote:
> > here is the configuration:
> >
> > INTERNET
> > |
> > FIREWALL------DMZ----[dns,www,ftp servers]
> > |
> > CO. Network
> >
> > the DNS is in the DMZ. and this DNS is to have the
> > entries for www,ftp and the firewall external IP
> > address facing the internet.
> >
> > ok, how is this DNS to be configured.
> > ALL HOSTS in the DMZ are to be hidden behind the
> > firewall. so we have just IP address which is
> > for the world. all others are hidden and NATed.
> >
> > please email me asap
> >
>
> Make sure your DNS is configured to not do zone transfers
> to the outside world. In addition, this is a bit of a
> nuisance, however...
>
> Add an entry for every NAT address you will be using from
> the inside. IE if it is going to look from the outside
> like you have a class C then add 254 entries with made
> up names. Make sure you put reverses in for each of these.
>
> If you don't do the second when someone inside hits some
> of the FTP sites, or they hit sites dealing with crypto
> they will be refused.
>
> Let's see, you should also turn off request forwarding
> to the ouside world. Someone at www.isp.joe.com should
> not be using your machine to look up yahoo.com if your
> machine is dns.bogus.org.
>
> Read the documentation with your version of DNS (and
> hopefully you are installing a recent unix version of
> bind), it should go into the why's and wherefores of
> what I have mentionned, along with some things I am
> probably missing.
>
> Roger Books
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
