This doesn't directly pertain to firewalls, but it
definitely is an indirect firewall issue so I figured
I would ask...
When doing NAT on a firewall, the common problem is
DNS. Internally DNS needs to return a private IP
address while continuing to provide the NAT'd public
IP address to the Internet. This is "split DNS"
(also known as "split brain" or "split horizon").
There seems to be a limitation with split DNS though.
Let's say we have the domain xyz.com.
Ideally the private DNS server would return private
IP addresses for its xyz.com entries. Anything else
for xyz.com or external domains it would forward to
the public DNS server.
The limitation is that it doesn't seem to be that
simple -- the private DNS server can't just have
private entries. It must also have all of the public
entries for xyz.com. That means that the public &
private DNS servers have overlapping entries. This
is more of a headache to administer.
Does anyone know if this is a valid limitation? Our
DNS administrator can see no way around it and I don't
know enough about DNS to know otherwise.
If there was DNS software out there that could return
an IP address based on the source IP of the request, that
would be PERFECT. Does such a product exist?
Thanks,
Carl
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
