On Wed, 25 Aug 2004 07:28:54 -0400, Rodolfo Alcázar <rodolfo.alcazar@xxxxxxxxxxxx> wrote: > > > > On Mon, 23 Aug 2004 18:09:16 -0400, Travis Fraser <travis@xxxxxxxxxxxxx> > wrote: > > > On Mon, 2004-08-23 at 17:29, Mike Burger wrote: > > > > On Mon, 23 Aug 2004, Rodolfo Alcázar wrote: > > > > > > > > > From: "Mike Burger" <mburger@xxxxxxxxxxxxxxxxx> > > > > > > > > > > > On Mon, 23 Aug 2004, Rodolfo Alcázar wrote: > > > > > > > > > > > > > > Errr, this is a classic case for a split DNS setup, you need > to setup > > > > > > > > DNS to point to it's DMZ interface on/within the firewall, or > just add > > > > > > > > it in the hosts file, don't try to connect to the external > interface > > > > > > > > and use the NAT, it don't work that way. I could be wrong. > > > > > > > > > > > > > > > > Yang > > > > > > > > > > > > > > Thanks, Yang. I didn´t heard about split DNS setup. I will try > it. Best > > > > > > > regards. > > > > > > > > > > > > In the meantime, you can use something like this (I used this > until split > > > > > > DNS came into play on my network): > > > > > > > > > > > > $IPTABLES -t nat -A PREROUTING -i internal-interface -d > > > > > your.external.ip.address -j DNAT --to your.internal.destination.IP > > > > > > $IPTABLES -t nat -A POSTROUTING -o internal-interface -d -s > > > > > your.internal.netowrk/netmask -j SNAT --to > firewall's.internal.ip.address > > > > > > -- > > > > > > Mike Burger > > > > > > http://www.bubbanfriends.org > > > > > > > > > > Thx, mike. This is the solution I was expecting for, but I think the > split > > > > > DNS is my right answer. I will do the same as you, use this rules in > the > > > > > meantime. Best regards. > > > > > > > > Happy to help. > > > > > > > > If you need an example of a split DNS config, let me know. I'm using > it, > > > > now, in lieu of the routing routing option. > > > > -- > > > > Mike Burger > > > > > > Hi Mike, > > > > > > I would like to see the split-DNS config. This thread is very timely for > > > me as I am setting up the exact arrangement in my network. > > > > > > Thanks, > > > Travis Fraser > > > > > hi, > > > > A simple split dns configuration really is just using your internal > > DNS as the primary and some external public DNS as the secondary in > > the DNS name resolving order. > > #/etc/resolv.conf > > domain mydomain.com > > nameserver xxx.xxx.xxx.xxx (my internal dns with private LAN info only) > > nameserver xxx.xxx.xxx.xxx (some external public DNS for public name > resolution) > > > > the catch is you setup the internal DNS zone recrods using the > > internal IP of servers so you do not resolve them with external IPs > > they might be NATed with on the public DNS server. DO NOT allow any > > external hosts to query the same DNS server for your domain! > > > > and for anything else, you can either setup the same server for > > forwarding or failover to the configured secondary public server to do > > the name resolution. > > > > > > Yang > > > > Travis, based on Yang´s idea, I checked the BIND9 docs, and find a very > simple named.conf parameter: "view". If you use BIND9, you can try this, > also, > it is very easy & simple (you do not need to start another daemon), here is > a > simplification of my named.conf file (the only differences between internal > and > external zones is myzone /myzone.LOCAL file, where you store your > differentiated records, and the matched clients): > > options { > directory "/var/named"; > // some lines deleted for security reasons > }; > > view "internal" { > match-clients { 127.0.0.1; 192.168.0.0/16; }; > zone "myzone.org" IN { > type master; > file "myzone"; > }; > // some lines deleted for security reasons > }; > > view "external" { > match-clients { any; }; > zone "myzone.org" IN { > type master; > file "myzone.LOCAL"; > }; > // some lines deleted for security reasons > }; > > I suppose I have security issues I must solve, but this is the idea. If > anyone find which security issues we must address, please write the list > > Best regards, > > Rodolfo > > Hi, "Views" do not enforce security, it should be done by firewall rules in addition with anti-spoofing configuration. Also, use the chroot feature that comes with BIND whenever you can. Yang
