why don't you use two (ore three) DNS-servers on your application gateway: the (primary and secondary) DNS-server of your Provider for internet adresses and your internal DNS-server for the internal adresses? I think that should solve the problem. If you're using SuSE Linux, you can change the nameservers using yast or you can edit /etc/resolve.
But how did the gateway know, that for example MY-PC-NAME is an internal Name, and it has to be resolved by the internal DNS-Server. If I resolve Names by my Provider, the Gateway try to resolve MY-PC-NAME by the Provider. Yet I see no way to told the Gateway: "For this name try the Internal- for an other name try the Provider- DNS-Server" Michael
On Fri, Mar 24, 2000 at 14:31 +0100, Michael Hamm wrote:
But how did the gateway know, that for example MY-PC-NAME is an internal Name, and it has to be resolved by the internal DNS-Server.
This is one of the basic things in configuring DNS: A client does ask your local server (i.e. _any_ server) and gets an answer without caring at all if this one was derived locally (being authoritative or cached) or fetched remotely (by forwarding the request to your uplink's server) -- it's the server's job to produce the answer. Maybe the DNS HowTo is what you want to have a glimpse at. And you might want to visit a local FreeBSD mirror (www.{lu,de}.freebsd.org?) and have a look at the freebsd-security ML archive. There was a thread called "Continual DNS requests from mysterious IP" late in January containing some instruction or methods for securing your configuration. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
On 24 Mar 2000, at 14:31, Michael Hamm wrote:
But how did the gateway know, that for example MY-PC-NAME is an internal Name, and it has to be resolved by the internal DNS-Server.
If I resolve Names by my Provider, the Gateway try to resolve MY-PC-NAME by the Provider. Yet I see no way to told the Gateway: "For this name try the Internal- for an other name try the Provider- DNS-Server"
Michael
Hi, if you carefully read DNS related documentation you will find, that a dns server hardly holds *all* name-ip pairs, a dns server will have a link to another one to resolve the names he cannot resolve itself, which is done with the "forwarders xxx.xxx.xxx.xxx" line in /etc/named.boot. This line instructs the dns server to forward all requests he cannot resolve to host xxx.xxx.xxx.xxx. So for your question, the dns requests are not split by the gateway but go to your standard nameserver in the internal net that will hold all name - ip pairs of this network, if this nameserver receives a request for a name he cannot resolve (like for addresses of the internet but also for typos), he will forward this request to the nameserver of your ISP. Please do not forget to restrict access to the database of your network with the "xfernets xxx.xxx.xxx.xxx" statement. Every member of xxx.xxx.xxx.xxx will be able to download the whole dns information of your nameserver, if there is no xfernets statement everone can get this data by simply asking your nameserver. HTH mike
participants (3)
-
Gerhard Sittig -
Michael Hamm -
Thomas Michael Wanka