RE: Need to replace a SonicWall firewall with an iptables firewall.

RE: Need to replace a SonicWall firewall with an iptables firewall.

[Daniel Chemko]

> Not knowing what split-dns was, I googled it. If I understand it
> correctly it seems that this is only needed when you use a single,
> common domain for both internal and external systems. All our external
> systems (both between the firewall and the router, and in the DMZ) are
> in "domain.com" and all our internal systems are in "sub.domain.com",
> so 
> we don't need split-dns, right?

Split DNS is good in that it allows:

Internet -> (1.1.1.1)Firewall(10.0.0.1) -> DMZ (10.0.0.0/24)
                    (10.0.1.1)
                         |
             Internal_Net (10.0.1.0/24)



Internet (Customers / etc..)
dig www.abc.com > 1.1.1.1

Internally (From your management network)
dig www.abc.com > 10.0.0.111

You have two zones of resolution. One for people inside the NAT, and one
for those outside the NAT. Anyone inside the NAT network will pick up
the real internal address name of the servers. People in the outside
world will see the fake routable DNAT IP address of the servers. Nobody
outside should be able to tell the difference (at least with http) that
the internal server doesn't really have an internet routable IP.

Re: Need to replace a SonicWall firewall with an iptables firewall.

[Nick Drage]

On Mon, Aug 30, 2004 at 03:23:58PM -0700, Daniel Chemko wrote:

> > Not knowing what split-dns was, I googled it. If I understand it
> > correctly it seems that this is only needed when you use a single,
> > common domain for both internal and external systems. All our
> > external systems (both between the firewall and the router, and in
> > the DMZ) are in "domain.com" and all our internal systems are in
> > "sub.domain.com", so we don't need split-dns, right?

Probably a good idea anyway - you probably don't want external users
using your DNS server in the same way that internal hosts do - i.e.
making recursive lookups.  Also while it isn't much of an information
leak, stopping Internet users looking up hosts in sub.domain.com won't
do any harm.

Also with the use of "view" this is pretty easy to do with BIND 9.  If
you don't have a copy of "DNS and BIND" you should be able to find
something useful via Google or equivalent search engine.

Sorry, a little off-topic....

-- 
mors omnia vincit

OT: split-dns

[Shaun T. Erickson]

Nick Drage wrote:
> On Mon, Aug 30, 2004 at 03:23:58PM -0700, Daniel Chemko wrote:
> 
> 
>>>Not knowing what split-dns was, I googled it. If I understand it
>>>correctly it seems that this is only needed when you use a single,
>>>common domain for both internal and external systems. All our
>>>external systems (both between the firewall and the router, and in
>>>the DMZ) are in "domain.com" and all our internal systems are in
>>>"sub.domain.com", so we don't need split-dns, right?
> 
> 
> Probably a good idea anyway - you probably don't want external users
> using your DNS server in the same way that internal hosts do - i.e.
> making recursive lookups.  Also while it isn't much of an information
> leak, stopping Internet users looking up hosts in sub.domain.com won't
> do any harm.

My DNS here is a bit screwy, having inherited it from my predecessor, 
whom I only recently took over for. The outside name server handles our 
primary domain "y.net", only, so external people cannot look up internal 
hosts, but they can make recursive requests for information about our 
external systems. My internal name server handles our internal domain, 
"x.y.net", and a copy of our external domain, on a Windows box. Clients 
are pointed at the internal name server and the secondary nameserver our 
ISP runs for us.

Clearly, this all needs to be re-done, which I plan to do as soon as my 
shiny new server arrives, which I'll migrate all my services too, 
rebuilding them as I go.

> Also with the use of "view" this is pretty easy to do with BIND 9.  If
> you don't have a copy of "DNS and BIND" 

I do - excellent book.

	-ste