[NTLUG:Discuss] opinions on where to run DNS server..... firewall vs main server.

gin gin at driver8.net
Thu Mar 2 22:02:45 CST 2000 

Isn't the DNS wherever (the IP address) you specified when you registered 
the domain w/ Network Solutions or the like? You can specify the IP 
addresses of the primary and secondary DNS servers, wherever you like, 
irrespective of what you might assign to the main server. And I agree with 
the previous assertion that DNS for a small domain is not taxing and so 
your filtering/forwarding machine won't notice much of a difference.

I dare say this, (I because I do love Linux) but if you weren't opposed to 
considering something like FreeBSD or OpenBSD for your firewall, you could 
use IPF and IPNAT, which has some very handy network address translation 
(NAT) capabilities. With NAT, you could translate DNS packets sent to and 
your assigned DNS server (say 1.1.1.1:53) across your firewall into your 
inner subnet to the address of your DNS server sitting inside (say 
2.2.2.2:53) and treat them as if they were queries made natively within 
that subnet. UDP and ICMP logging are a snap as well. This way you get 
filtering and flexibility. Its kind of like masquerading in reverse (for 
the administrator as opposed to the surfer) --- the destination address is 
manipulated in the firewall and sent to a new address of your liking. There 
is a good article on NAT in this month's SysAdmin that you might want to 
check out (the contents can be found at 
http://www.sysadminmag.com/current/). Other info is available at 
http://coombs.anu.edu.au/~avalon/ip-filter.html.

Bottom line: have fun with it. There're more than one way to do it.

At 07:36 PM 3/1/00 -0800, you wrote:
>thanks for the comments.
>
>my initial intent and still is so far, is to setup the dns on the box that 
>will be used as my firewall/router/proxy.  i will use forwarders to my 
>isp's name servers for outside address resolution for the local net.  i do 
>want to affect the internet wide address resolving for my domains.  i just 
>read something in some docs about dns setup that said it was assumed that 
>the dns would be installed on the main server.  it was not obvious to me 
>as to why so i thought i would ask for opinions to gain an understanding.
>
>thanks again for your comments.
>
>
>>From: "Scott Womer" <Scott at womer.com>
>>Reply-To: discuss at ntlug.org
>>To: <discuss at ntlug.org>
>>Subject: Re: [NTLUG:Discuss] opinions on where to run DNS server..... 
>>firewall vs main server.
>>Date: Wed, 1 Mar 2000 06:27:18 -0600
>>
>>Opinion Alert:
>>
>>What I found that worked best for me, when needed to resolve both internal
>>and external addresses for the nodes on the inside of the firewall, and
>>provide name resolution for the machines outside the firewall, is to run
>>what's call a split-level dns.  Putting a minimal dns on the firewall
>>itself, this one should be able to resolve only the names and addresses of
>>the publicly accessible machines, this dns would point to the normal root
>>servers.  Put another dns on a machine inside the firewall that resolves
>>just the private side of the network, this dns would use the firewall dns as
>>it's root level dns and it's forwarder.  Both your dns servers would have
>>the internal dns configured as it's primary resolver.
>>
>>That's about as simple as I can make it sound without going into 10 pages of
>>detail.  If you want more detail, or just have questions... let me know.
>>
>>
>>Thanks,
>>Scott Womer
>>
>>
>>----- Original Message -----
>>From: "clyde swann" <swannc at hotmail.com>
>>To: <discuss at ntlug.org>
>>Sent: Tuesday, February 29, 2000 8:19 PM
>>Subject: [NTLUG:Discuss] opinions on where to run DNS server..... firewall
>>vs main server.
>>
>>
>> > i had started setting up dns to run on my firewall/gateway/router machine
>> > (486dx2/66, 32mg ram, linux v6.0), connected to adsl line with static ip.
>> > then i read something that suggested the dns server is expected to be run
>>on
>> > the main server (pii-450, 192mg ram, linux v6.1).  just curious as to the
>> > assumption, other than it being a server program.  are there any real
>> > pros/cons?
>> >
>> > ______________________________________________________
>> > Get Your Private, Free Email at http://www.hotmail.com
>> >
>> >
>> > _______________________________________________
>> > http://ntlug.org/mailman/listinfo/discuss
>>
>>
>>_______________________________________________
>>http://ntlug.org/mailman/listinfo/discuss
>
>______________________________________________________
>Get Your Private, Free Email at http://www.hotmail.com
>
>
>_______________________________________________
>http://ntlug.org/mailman/listinfo/discuss

More information about the Discuss mailing list