Sp4 Fixed the DNS thing. I had the forwarding problem too. There may still
be a stand-alone "hot fix" for DNS issues. I had the hot fix before SP4 and
it worked fine too.
-----Original Message-----
From: Ben Nagy [SMTP:[EMAIL PROTECTED]]
Sent: Thursday, May 06, 1999 8:56 PM
To: 'Bernd Eckenfels'; Sloan, Scott
Cc: Firewalls (E-mail)
Subject: RE: Microsoft DNS
Whoa whoa whoa...
First of all, you _need_ to run DNS on the firewall for external DNS
to work
at all. This is all as it should be because it's not a packet
filter,
remember? DNS is what some people have called a "self proxying
service" in
that you use DNS servers to proxy DNS requests. So yes - Gauntlet
has a DNS
proxy in that sense. [1]
Sure you _could_ hack in packet filter rules to allow DNS requests
in and
out to your internal DNS server - hell, why not just allow ICQ while
you're
at it?
In other words - answer to the first part of the question - it's a
Good
Idea.
However, it is bad bad bad to use the firewall as your DNS server
for the
outside world - read the documentation that came with the firewall
and it
will tell you that quite clearly.
I guess the "recommended" config is to run a DNS in the DMZ if
you're
providing your own DNS. I always con a friendly ISP into running the
primary
unless changes will be constant.
On a sadder note, I'm having the same problem as Bernd in that I
can't get
MS DNS to forward through the MS DNS on the firewall yet (the server
originating requests is a full production box so I haven't downed it
to try
SPs yet 8b ). The config I'm running to tide me over is to run the
DNS ONLY
on the internal interface (as has been mentioned) and not to keep
any DNS
info about internal hosts - it doesn't even have a "zone". It just
forwards
to the outside world as a slave. This may or may not be possible for
you (I
can get away with it because it's all MS stuff and I can use WINS).
I love the term "cache poisoning" - it's one of the things I talk
vaguely
about with non-computer friends to make it sound like I'm in some
exciting
espionage world instead of boring computer rooms ;)
[1] Yeah, that's flippant. I can think of some cases where it would
be cool
to proxy UDP to a Unix box running BIND or something. However, the
ONLY
reason to write such a proxy would be because there was no native
DNS server
that runs on the firewall that was any good, and that might be
politically
difficult to say for NAI.
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
Direct Dial: (08) 8422 8319 Mobile: (0414) 411 520
-----Original Message-----
From: Bernd Eckenfels [SMTP:[EMAIL PROTECTED]]
Sent: Friday, May 07, 1999 6:47 AM
To: Sloan, Scott
Cc: Firewalls (E-mail)
Subject: Re: Microsoft DNS
On Thu, May 06, 1999 at 12:05:34PM -0400, Sloan, Scott
wrote:
> Would I run into a risk running Microsoft's DNS caching
service on
a
> Gauntlet NT firewall box? Would it be possible for
someone to
poison my
> cache? If so, what's the best configuration?
I have problems with my forwardes it keeps forgetting them
every
time i open
the dns admin... unfortunatelly on that box i cant use SP3
or SP4...
dlls
are grand broken but its my primary intranet server, so i am
sticked
to
fixing that every now and then... perhaps its a warning for
you...
you can
on the other hand use bind...
Is there no DNS Proxy in Gauntlet?!? I mean a firewall which
costs
more than
a small car...
Greetings
Bernd
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
