dns inside firewall
Kevin Darcy
kcd at daimlerchrysler.com
Mon Sep 18 22:33:03 UTC 2000
Are you still using 202.65.209.* addresses externally? If so, then you
probably want to continue serving the 209.65.202.in-addr.arpa zone.
IN ADDITION, you may wish to also define the 2.168.192.in-addr.arpa zone on
one or more of your nameservers.
But "in-addr.arpa" are "reverse" zones, i.e. they contain entries which map
addresses to names. This is usually of secondary importance. What I'd be
more concerned about is your forward zone(s), e.g. "example.com" or
whatever, which contain entries which map names to addresses, like web
server names, mail server names, etc.. In your new, firewalled
architecture, do you need names in that/those zone(s) to resolve to
192.168.*.* addresses on the inside and 202.65.209.* addresses on the
outside? If so, then you may need to run a split DNS -- some servers on the
inside and some on the outside, with different databases. Just be careful,
you don't want to make the mistake of advertising A records pointing to
192.168.*.* addresses in your external DNS. That's a private address space
and external entities won't be able to connect to those addresses.
- Kevin
Joe Au wrote:
> i have a primary and secondary dns server setup inside the firewall DMZ.
>
> before we have no firewall, i have a 209.65.202.in-addr.arpa (real ip)
> reacord.
> but now, do i need to add a 2.168.192.in-addr.arpa (fake ip) record and
> delete the real ip record?
>
> thanks
> Joe Au
More information about the bind-users
mailing list