Jonathan Thornburg wrote:
The purpose of this message is to ask for advice on how to handle
DNS on the firewall. I can see two basic options:
(a) When the firewall boots, after the outside network is configured
(via /etc/rc running dhclient) a shell/grep/perl script on the
firewall copies the DNS server addresses from /etc/resolv.conf
into /etc/dhcpd.conf, and only then does the firewall start its
dhcpd on the inside interface. dhcpd will then hand out the
(ISP-provided) DNS server addresses to clients at the same time
it gives them their local addresses, causing the clients to
directly query my ISP's DNS servers.
(b) The firewall's dhcpd is configured to tell clients that the
firewall itself is a DNS server. The firewall also runs a DNS
proxy (eg /usr/ports/net/totd or /usr/ports/www/squid,transparent).
Clients then query the firewall as a DNS server, and the firewall
(i.e. OpenBSD's resolver(3) routines in libc) queries my ISP's
DNS servers as needed, and (via the DNS proxy) passes the results
back to clients.
My home router runs minimum-configured named, serving as the only DNS
server for internal windows machines and using opendns.com nameservers
as forwarders. Internal boxes get their IP addresses and address of DNS
server from dhcpd running on the router.
Also router runs (of course!) PF in "block in/pass out" manner plus some
port forwarding for p2p networks, and SQUID for http caching. Pretty simple.
