That would work, however you really shouldn't run anything else on your
firewall.
You can have an internal DNS server that's authoritative to your internal
network, that also does "forwarding" against external DNS servers without
having to worry about authorized or unauthorized zone transfers.
If your DNS server is set up correctly, zone transfers will be denied if
not configured anyway (Settings within MS DNS, I don't know about BIND).
Also, if doing NAT, no one in the "real world" will be able to touch your
DNS server unless your DNS server initiated the session anyway.
-----Original Message-----
From: Bill Stackpole [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 08, 1999 10:48 AM
To: 'Burgess, Jeff'
Subject: RE: Firewall-1 NAT/DNS issue
The simple answer is to set up a cache only DNS on the Firewall box and
forward all internal DNS queries to it. Then set up the rules
to allow DNS. That's what I've done and I have no DNS resolve problem plus
I don't have DNS leakage problem or authorized zone transfer issues.
> -----Original Message-----
> From: Burgess, Jeff [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, September 08, 1999 5:32 AM
> To: 'Espinola, Micheal'; '[EMAIL PROTECTED]';
> '[EMAIL PROTECTED]'
> Subject: RE: Firewall-1 NAT/DNS issue
>
>
> Micheal,
> If you get an answer to this one drop me a note.
> You are the second person I've seen ask this question, so I thought I
> should respond even though I don't have an answer for you. To my
> knowledge
> FW-1 DOES NOT NAT PORTS, If you are doing NAT that's fine and everything
> should work well.
> I've taken both the CCSA and CCSE courses and they don't mention NATing
> ports...
>
> I'm curious as to why you mentioned Apple.Com specifically? I've
> noticed
> that apple has been having ALLOT of problems lately, could be your problem
> is not internal and is actually Apple's problem... Or is this happening
> with other sites as well?
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
