Hi ALL,
I had tried setting up split-dns on a solaris firewall. it didn't work.
split-dns means that the secuRemote client will intercept/encrypt and
redirect all dns querries belonging to the encryption domain.
this means that the user can type xxx.internal.com and the secuRemote client
will redirect the dns query to the VPN gateway, which in turn will re-direct
the request to the internal dns server. ofcourse, this will happen provided
xxx.internal.com has been configured as internal ! this configuration is
done on the firewall and gets reflected in the userc.C file in the
secuRemote client, when the site is updated.
if the user types www.checkpoint.com, the secuRemote client will let the
external (normal) dns server service the request.
for this to happen. a few of things must be done on the firewall :
a) an object representing the internal dns server must be created.
b) a dnsinfo.C file must be created in the $FWDIR/conf directory.
c) a line - #define ENCDNS - must be added (before a certain line) in the
crypt.def file in the /etc/fw/lib directory.
both these things have been done, and the firewall policy was re-installed.
the doc says this is enough. the firewall kernel should pick up the changes
after the re-installation.
a couple of lines must also be added to the userc.C file on the secuRemote
client. these lines have been added and the site was updated.
upon examination of the userc.C file, after updating the site, we found this
interesting line -
dnsinfo ()
now, between those two parentheses, we expected to see the entire stuff that
we typed in into the dnsinfo.C file on the firewall. this probably means
that the firewall is not picking up info from the dnsinfo.C file.
we have checked minutely for spelling mistakes and uppercase-lowercase typos
both in the content as well as in the name of the file - dnsinfo.C, but
haven't found any errors. yet split-dns doesn't work.
what might be the reason ? and the solution to the problem ?
thanks and regards,
anilskv.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
