Date: Thu, 9 Nov 2000 17:07:38 -0600 (CST) From: Geoff Wyche <geoff@schoolpeople.net> To: freebsd-questions@freebsd.org Subject: Re: DNS Setup Message-ID: <Pine.BSF.4.21.0011091703020.59231-100000@gabriel.schoolpeople.net> In-Reply-To: <3A0B2738.CB1D505B@pc759.cs.msu.su>
next in thread | previous in thread | raw e-mail | index | archive | help
I recently had to do something similar. I chose to run an internal named and an external named on the same CPU. The external named runs on a non-standard port. The firewall then redirects port 53 to the nameserver's nonstandard port. Thus, internal hosts reach the internal server on port 53 and external hosts see the external DNS on port 53. Because I have separate static ip addresses for the server and firewall, the firewall can accept packets for the nameserver's IP with an inet alias, and hosts outside the firewall are none-the-wiser. Hope this helps, --Geoff geoff@schoolpeople.net On Thu, 9 Nov 2000, Alexander Derevyanko wrote: > > > Jeremy Vandenhouten wrote: > > > > In setting up 1 of the 2 dns servers required for taking control of a > > domain. Is setting up one behind a firewall constitute a valid option? > > More info to follow: > > > > Lucent Router ------ FreeBSD NAT firewall --------- DNS Server > > > > I know I need to tell the firewall to redirect port 53 both forwards > > and backwards for the DNS server. > > > > A case in point, assuming I was on the outside of the Lucent Router and > > wanted to use the internal DNS server (192.168.x.x) from another > > FreeBSD box, where would I point it at because obviously the DNS server > > doesn't have a legitimate external "Internet IP." > > If you do the redirection, you will use IP of you firewall. > > > > > The question is easy if I'm internal behind the firewall, I could just > > point directly at the 192.168.x.x address, but that's not the situation > > I'm looking at. Or, alternatively, is there a better way of setting > > this up without putting the DNS server on the firewall machine. > > It is not too clever to allow everybody from whole world inspect you > internal domain. > Also, it is useless if you have in DNS internal IP's. > Suggest next strategy: install one set of DNS servers for you legitimate > IP addresses > (most of all, you will need very small zone, like www.mydomain.com, > ftp.mydomain.com > and MX record for mydomain.com). Suggest to use you upstream provider's > DNS > service for this. And install completely internal DNS server, with no > possibility to access > from outside. Of course, all internal hosts must use you internal DNS as > DNS server. > > > > > Thanks for any input... > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0011091703020.59231-100000>