dns for DMZ with many servers (views confusion)

Barry Margolin barmar at alum.mit.edu
Wed Jun 8 05:20:28 UTC 2005


In article <d84kq5$1rup$1 at sf1.isc.org>,
 Micha½ Kurowski <mkur at poczta.gazeta.pl> wrote:

> Hi,
> 
> I think I'm confused a bit and I'd like to ask for some explanation.
> 
> How actually views are supposed to work in DMZ-type network with
> multiple servers ? 
> 
> There are many different services in our DMZ running on many servers.
> Each one of them is supposed to be seen as the same (top-level)
> "address". External view (or external bind) has no problems and the
> traffic is nicely forwarded by the firewall (DNAT-ed). 
> 
> My problem is the internal server (view). SMTP, WWW, FTP servers
> should all be resolved to the same top-level name and I'm not really
> sure how to do this. 

In the external view, all the names will resolve to the firewall's 
public address (let's say it's 192.168.10.20):

www IN A 192.168.10.20
smtp IN A 192.168.10.20
ftp IN A 192.168.10.20

But in the internal view, the names will resolve to the specific 
addresses (let's say they're in the 172.16.30.0/24 subnet):

www IN A 172.16.30.5
smtp IN A 172.16.30.6
ftp IN A 172.16.30.7

Are you trying to use a single name for all the services?  That won't 
work if they're on different servers and there's no port-forwarding 
device in the path.  So don't do that.

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***



More information about the bind-users mailing list