netscape win behind firewall/dns problem

Joseph S D Yao jsdy at cospo.osis.gov
Wed Sep 29 17:30:59 UTC 1999 

>                              |---- SOLARIS server/internal DNS
>                              |
>        LINUX(RH 6.0/socks5)  |
> INET-----FW/external DNS-----|
>           /proxy server      |---- 'n' SOLARIS netscape clients
>                              |
>                              |---- 'n' IRIX netscape clients
>                              |
>                              |---- 'n' LINUX netscape clients
>                              |
>                              |---- 'n' WIN netscape clients
> 
> - I need my external DNS for my internet server.
> - I need my internal DNS for my intranet server and my LAN admin.
> - I dont want my internal DNS to resolve external adresses.
> - I dont want my clients to use external DNS.
> - I dont need my clients to resolve external addresses.
> 
>       But netscape seems to talk only in socks V4 mode (socks5
> can also, but then it need resolved adresses, and dont talk
> to the external DNS). No problem with unix clients : I just set
> SOCKS_NS variable to the IP address of my external DNS, netscape
> only then uses the external DNS,and all works fine.
> 
> .............. what about Windows clients ???????
> 
> PS : I already suggested to throw windows away, but my boss .....
> PPS: I said netscape doesn't talk with socks5, is that true ???

I don't know.  I do know that, with that attitude, the boss is likely
to tell you to get rid of the Linux firewall, and get one that works
with "his" systems ... probably running on MSW-NT or something glorious
like that.

Is Netscape using external DNS?  I haven't studied SOCKS, so I don't
know.  If all it needs is the address of the SOCKS server, surely it's
already getting it from internal DNS.  If it needs external DNS, yoiu
may want to re-consider your reasons for not wanting to allow internal
hosts to "see" external DNS resolutions.  Personally, I can't imagine
why you don't want them to.  It's not a two-way street, if you don't
want it to be.

We use http-gw from the NAI/TIS FWTK (firewall toolkit) as a proxy, and
not SOCKS.  It is a true proxy, and not an IP packet filter.  It takes
the names of the external hosts, and tries to resolve them from that
point.  Even if we weren't allowing external DNS to resolve [which we
do], it should work.

--
Joe Yao				jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support					EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.

More information about the bind-users mailing list