DNS behind firewall w/NAT, resolve both internal & external(real) IP?

[Kevin Darcy]

zz at rockstone.com wrote:

> I'd appreciate anyone could comment how to achieve this:
>
> 1. Current situation:
> A company has an internal LAN about a few hundred of machines,
> internally on private ip scheme 172.16.x.x / 255.255.0.0) connected
> to internet via an old Cisco PIX firewall (PIX-10000-AC-1024) which
> does network address translation (NAT) for those machines needs
> to be visible on the Internet. At this moment the ISP is hosting
> for the company its DNS to cover those Internet-visible machines,
> and the company has its internal DNS covers for internal addressing
> only. The main concern is that maintenance is inconvenient to MIS
> due to anytime a record need to be changed, they must sent to ISP
> a request form in an pre-formated procedures. The ISP sometimes is
> not quite responsive. Currently:
> MachineA on Internal LAN, behind firewall:
> Internal IP: 172.16.1.2 < -Firewall w/NAT-> External IP 207.224.102.130
>
> 2. What is the best way?
> The company is considering to move its DNS authoritative and manage
> the DNS server on its own premises instead of having the ISP do it.
> Or perhaps running its own DNS as master as primary authoritative and
> let the ISP running slave as secondary.
> Now the question comes:  Which way is better to implement this
> - should the primary DNS sit behind the firewall, or in front of
> firewall?

In order to keep the incoming DNS traffic away from the firewall and NAT, it
would probably make more sense to put the nameserver on the outside. On the
other hand, being on the outside can make it a pain to maintain. Depends on your
security policies, your DNS maintenance mechanism and the capabilities of your
firewall.

One option to consider is *two* machines -- a "hidden" master on the inside and
a "fake" master, which is actually configured as a slave, on the outside. Then
you only have to configure the zone transfers to go through the firewall.

> The DNS must be able to determine the origin of the query
> and resolve external request to real address, and queries from internal
> LAN to the 172.16.x.x address.
>
> 3. Recommendations or resources?
> I'd appreciate your idea including pro and cons, or point to a
> resources where I can get an sample configuration.  And how to achieve
> high availability.
>
> 4. High availability - one ISP two circuits or two ISP two circuits?
> Sometimes the ISP T1 circuits goes down. So for redundancy purpose, they'd
> like to have a backup circuit. Should this be implemented by two routers
> via to two different ISP via two circuits running BGP, or some other types
> of dynamic routing?
> What is the most commonly used load balancing and failure tolerance design
> for the least spending?
> If two ISP is selected, would the company need two blocks of address assigned
> by the two ISPs or only need one set of block ip ?
> Is Cisco PIX fail-over bundle a practical answer for circuits failure?
> I doubt that because to my impression the Cisco PIX fail-over only backs
> up in the event of a firewall failure only, but no protection if circuit
> fails the connected ISP router goes down.

I know next to nothing about Cisco PIX, but in general terms, the more slaves
you have in diverse locations (network-wise as well as geographically) the more
redundancy you have. Redundant physical circuits and BGP tricks can enhance
this, but your fundamental reliability comes from having multiple nameservers
available to everyone at all times.


- Kevin