Non-routable addresses in the DMZ
Michael Voight
mvoight at cisco.com
Thu Jul 15 19:38:31 UTC 1999
Marty Enerson wrote:
>
> What we had was a DMZ with non-routable addresses. Then DNS was in that zone and had a
> non-routable address. The DNZ zone files were for the Internet and had basically two
> addresses it was serving...the web server address and it's own address. But the zone
> files contained the routable addresses of the two machines since the only people using the
> two machines would be on the Internet. When I started BIND it said that it couldn't
> resolv it's name because the port is bound to 192.168.40.10 but the DNS tables give a
> routable number.
>
> The only machines are in the DMZ are non-routable but the PIX gives them routable numbers.
>
> 1. yes
> 2. no, I have the routable number configured in the DNS files
> 3. yes, but not know (or care) what the non-routable numbers are.
>
> I don't know about the "alias" command on the PIX.
>
> We called CIsco and they were no help on how the DNS should be configured. The DMZ works
> great with either non-routable or routable addresses... but the DNS server is having the
> prob.
You don't say exactly what bind is looking for here or not finding a ptr
record for the address.
Is BIND complaining about not finding an A record for the hostname? If
so, then put the inside PTR record in DNS. You CAN have multiple PTR
records pointing to the same hostname. Is BIND complaining or just
nslookup.
If nslookup is complaining about not finding the address, just configure
the resolver to use 127.0.0.1 instead of the real address.
If the DNS server is on the DMZ and being queried by the outside, then
you can use the alias command to give the inside people one address and
the outside people another. The alias command will allow the PIX to
change the DNS data in the packet so inside people see the inside
address, and the PIX will translate the address that goes to the
outside.
I need to know exactly what BIND is complaining about. Can you supply
the message? See, it is helpful to find someone knowing PIX and DNS.
Michael
More information about the bind-users
mailing list