Mailinglist Archive: opensuse-security (195 mails)

< Previous Next >
Re: [suse-security] Re: Re: DNS Concept for DMZ
On 24 Mar 2000, at 14:31, Michael Hamm wrote:

> But how did the gateway know, that for example MY-PC-NAME is an
> internal Name, and it has to be resolved by the internal DNS-Server.
>
> If I resolve Names by my Provider, the Gateway try to resolve
> MY-PC-NAME by the Provider. Yet I see no way to told the Gateway: "For
> this name try the Internal- for an other name try the Provider-
> DNS-Server"
>
> Michael
>

Hi,

if you carefully read DNS related documentation you will find, that a
dns server hardly holds *all* name-ip pairs, a dns server will have a
link to another one to resolve the names he cannot resolve itself,
which is done with the "forwarders xxx.xxx.xxx.xxx" line in
/etc/named.boot. This line instructs the dns server to forward all
requests he cannot resolve to host xxx.xxx.xxx.xxx.

So for your question, the dns requests are not split by the gateway
but go to your standard nameserver in the internal net that will hold
all name - ip pairs of this network, if this nameserver receives a
request for a name he cannot resolve (like for addresses of the
internet but also for typos), he will forward this request to the
nameserver of your ISP.

Please do not forget to restrict access to the database of your
network with the "xfernets xxx.xxx.xxx.xxx" statement. Every member
of xxx.xxx.xxx.xxx will be able to download the whole dns information
of your nameserver, if there is no xfernets statement everone can
get this data by simply asking your nameserver.

HTH

mike



< Previous Next >
References