Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Simple DNS Problem

2 views
Skip to first unread message

Scott Trowbridge

unread,
Feb 26, 2001, 11:31:17 AM2/26/01
to
I've read through the help docs. on the SCO site regarding DNS, and needless
to say, I'm still confused. I'm running 5.0.5 and trying to accomplish name
resolution behind a firewall. People coming in from the outside hit our web
site, and from a link on a web page, are directed to our firewall. From
there, we use ip masq. to forward them to a box behind that firewall. The
second problem is that we need to have the same name resolution from within
our own network. (see example below)

Can someone help me through the maze of DNS so that this example will work?

---------
Scott


So on a machine EXTERNAL to my network.
> nslookup homesec1.domain.com
Name: homesec1.domain.com
Address: 12.34.109.XX

> nslookup 12.34.109.XX
Name: homesec1.domain.com
Address: 12.34.109.XX

On a machine INTERNAL to my network.
> nslookup homesec1.domain.com
Name: homesec1.domain.com
Address: 192.168.21.1X

> nslookup 192.168.21.1X
Name: homesec1.domain.com
Address: 192.168.21.1X

Simon Hobson

unread,
Mar 6, 2001, 12:43:23 PM3/6/01
to
On Mon, 26 Feb 2001 16:31:17 +0000, Scott Trowbridge wrote
(in message <Ewvm6.3513$TT.1...@e3500-chi1.usenetserver.com>):

> I'm running 5.0.5 and trying to accomplish name
> resolution behind a firewall. People coming in from the outside hit our web
> site, and from a link on a web page, are directed to our firewall. From
> there, we use ip masq. to forward them to a box behind that firewall. The
> second problem is that we need to have the same name resolution from within
> our own network. (see example below)
>
> Can someone help me through the maze of DNS so that this example will work?

OK, what you SHOULD be doing is have two nameservers. Internally you have a
nameserver which knows about your internal network (and web site), but which
uses your ISPs nameservers to resolve requests from internal users for
anything outside your network.

Externally, you have a different nameserver (you can probably get your ISP to
run this on their machines alongside the entries for www.domain.com).
External users will only ever see the limited information which you put in
this external nameserver and hence your internal network is hidden (even if
they couldn't get to it anyway because of the firewall).

This is a basic security measure.

So internal users resolving homesec1.domain.com will get 192.168.21.1X from
your INTERNAL DNS server. External users will get 12.34.109.XX from the
EXTERNAL DNS server.

Assuming that your web hosting company or your ISP also hosts the DNS entries
for your web site (ie www.domain.com), they will have to host the DNS entries
for your internal server homesec1.domain.com. Just ask them to add the
entries to resolve between homesec1.domain.com and 12.34.109.XX.
The alternative is that you take over responsibility for all DNS servers for
your domain - but you will be hard pressed to provide the same level of
performance and availability that they will provide.

Simon


0 new messages