Setting up DNS in DMZ
Kevin Darcy
kcd at daimlerchrysler.com
Tue Apr 6 00:16:47 UTC 2004
Tim Stanley wrote:
>I'm looking for examples of a correct way to set up a dns in a DMZ -- a
>hardware DMZ. Not setting up named on a system that has a firewall, but
>setting up named in the DMZ.
>
>Of course, on a firewall, there is the registered ip range, and 2 private
>ranges. The dns is for the registered ip range, however, it is set in one of
>the private ranges. So, what is appropriate for configuring the dns?
>
If your nameserver has an address in a private range, then you'll need
to do some NAT'ting, of course, in order for other Internet nameservers
to be able to communicate with it. All of the DNS data you serve to the
Internet will also need to need to be public addresses, with NAT'ting
being done as necessary between the HTTP/SMTP/whatever clients on the
Internet and your servers. Some NATs are smart enough -- or *think* they
are smart enough, but actually get it wrong -- to change
private-to-public addresses in DNS response packets on the fly. But I
wouldn't trust that technology. The more traditional approach is to
implement "split DNS" with internal and external databases for your
names -- in the "internal" database, the DMZ names would resolve to
private addresses, and in the "external" database, the DMZ names would
resolve to public addresses. If you use BIND 9, you could serve both the
internal and external databases from the same nameserver instance, if
you wanted, differentiating the answers by client source address via the
"view" feature.
- Kevin
More information about the bind-users
mailing list