Mailinglist Archive: opensuse-security (195 mails)

< Previous Next >
Re: DNS Concept for DMZ
  • From: Michael Hamm <michael.hamm@xxxxxxxxxxx>
  • Date: Fri, 24 Mar 2000 16:40:08 +0100
  • Message-id: <01BF95AF.9E5550B0@xxxxxxxxxxxxxxxxxxx>
>>>why don't you use two (ore three) DNS-servers on your application gateway:
>>>the (primary and secondary) DNS-server of your Provider for internet adresses
>>>and your internal DNS-server for the internal adresses? I think that should solve the problem.
>>>If you're using SuSE Linux, you can change the nameservers using yast or you can edit /etc/resolve.
>>But how did the gateway know, that for example MY-PC-NAME is an
>>internal Name, and it has to be resolved by the internal DNS-Server.
>>If I resolve Names by my Provider, the Gateway try to resolve MY-PC-NAME
><by the Provider. Yet I see no way to told the Gateway:
>>"For this name try the Internal- for an other name try the Provider- DNS-Server"
>Ok, I see.
>Your application gateway should use the internal name server(s) first; if that one doesn't know the answer it has to be configured in that >way that it will ask the nameserver of the provider (the nameservers of your internal nameserver should be the ones of your provider).
>If your internal server(s) are down, then the application gateway can still resolve external names - using the second or third configured >nameserver.

Okay, so I try this:
1. The Gateway try to resolve every Name by the Internal DNS-Server.
2. Internal names will be found.
3. If nothing is found, the Internal DNS-Server will forward the question to a DNS-Server running on the Gateway.
4. The DNS-Server running on the Gateway forward every question to the Providers DNS-Server.

It seems to be a long way. What about the performance???


< Previous Next >
Follow Ups