Setting up DNS in DMZ

Kevin Darcy kcd at daimlerchrysler.com
Tue Apr 6 00:16:47 UTC 2004


Tim Stanley wrote:

>I'm looking for examples of a correct way to set up a dns in a DMZ -- a
>hardware DMZ. Not setting up named on a system that has a firewall, but
>setting up named in the DMZ.
>
>Of course, on a firewall, there is the registered ip range, and 2 private
>ranges. The dns is for the registered ip range, however, it is set in one of
>the private ranges. So, what is appropriate for configuring the dns?
>
If your nameserver has an address in a private range, then you'll need 
to do some NAT'ting, of course, in order for other Internet nameservers 
to be able to communicate with it. All of the DNS data you serve to the 
Internet will also need to need to be public addresses, with NAT'ting 
being done as necessary between the HTTP/SMTP/whatever clients on the 
Internet and your servers. Some NATs are smart enough -- or *think* they 
are smart enough, but actually get it wrong -- to change 
private-to-public addresses in DNS response packets on the fly. But I 
wouldn't trust that technology. The more traditional approach is to 
implement "split DNS" with internal and external databases for your 
names -- in the "internal" database, the DMZ names would resolve to 
private addresses, and in the "external" database, the DMZ names would 
resolve to public addresses. If you use BIND 9, you could serve both the 
internal and external databases from the same nameserver instance, if 
you wanted, differentiating the answers by client source address via the 
"view" feature.

                                                                         
                                    - Kevin




More information about the bind-users mailing list