dns for DMZ with many servers (views confusion)
barmar at alum.mit.edu
Wed Jun 8 05:20:28 UTC 2005
In article <d84kq5$1rup$1 at sf1.isc.org>,
Micha½ Kurowski <mkur at poczta.gazeta.pl> wrote:
> I think I'm confused a bit and I'd like to ask for some explanation.
> How actually views are supposed to work in DMZ-type network with
> multiple servers ?
> There are many different services in our DMZ running on many servers.
> Each one of them is supposed to be seen as the same (top-level)
> "address". External view (or external bind) has no problems and the
> traffic is nicely forwarded by the firewall (DNAT-ed).
> My problem is the internal server (view). SMTP, WWW, FTP servers
> should all be resolved to the same top-level name and I'm not really
> sure how to do this.
In the external view, all the names will resolve to the firewall's
public address (let's say it's 192.168.10.20):
www IN A 192.168.10.20
smtp IN A 192.168.10.20
ftp IN A 192.168.10.20
But in the internal view, the names will resolve to the specific
addresses (let's say they're in the 172.16.30.0/24 subnet):
www IN A 172.16.30.5
smtp IN A 172.16.30.6
ftp IN A 172.16.30.7
Are you trying to use a single name for all the services? That won't
work if they're on different servers and there's no port-forwarding
device in the path. So don't do that.
Barry Margolin, barmar at alum.mit.edu
*** PLEASE post questions in newsgroups, not directly to me ***
More information about the bind-users