DNS through Firewall

Gary Wardell gwardell at gwsystems.co.il
Wed Feb 27 02:05:22 UTC 2002


In the first place NAT is not a firewall.

Second, everything your DNS published to the outside world needs to only have public addresses in it.

However, there is nothing to stop you from putting private (non-published, non-delegated) names in your DNS, that resolve to your
private 10.1.1.x/24 network, that you can then use on your LAN for your own purposes. (e.g. dig and NSlookup, etc.)

As I guess your are aware you will need to setup static routes in your NAT router so that your public IP(s) is/are routed to your
DNS and what ever other servers you have on your private LAN.


> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org]On
> Behalf Of David Frank
> Sent: Tue, February 26, 2002 5:30 PM
> To: comp-protocols-dns-bind at isc.org
> Subject: DNS through Firewall
> Greetings,
> I am having a problem with our new DNS server. Our old DNS
> server was also
> our firewall, so restricting access was relatively easy. Our
> new DNS server
> (no longer on the firewall)has a non-routable IP Address NAT'd to an
> external DNS. The problem I am having is what to put in my
> db.local for a
> name server. dns.datachannel.com resolves to an external
> address so that
> would seem to cause a problem as the local host has an address on the
> 10.1.1.x/24. Also, I know dig is the prefered trouble
> shooting tool and
> nslookup is not a good test, but when I do an nslookup it is unable to
> resolve itself as a DNS server.
> What is the most common way of securing your external DNS
> servers behind a
> firewall while still allowing the functionality you need for address
> resolution?
> Thank you for your time,
> David Frank

More information about the bind-users mailing list