From owner-freebsd-questions Thu Nov 9 14:54:25 2000 Delivered-To: freebsd-questions@freebsd.org Received: from pc759.cs.msu.su (pc759.cs.msu.su [158.250.10.223]) by hub.freebsd.org (Postfix) with ESMTP id 65B7337B479 for ; Thu, 9 Nov 2000 14:54:19 -0800 (PST) Received: from pc759.cs.msu.su (uucp@localhost) by pc759.cs.msu.su (8.9.3/8.9.3) with UUCP id CAA91394; Fri, 10 Nov 2000 02:02:32 +0300 (MSK) (envelope-from der@pc759.cs.msu.su) Received: from pc759.cs.msu.su (megagame.my.home [10.0.1.5]) by gateway.my.home (8.8.8/8.8.8) with ESMTP id WAA17268; Thu, 9 Nov 2000 22:32:03 +0300 (MSK) (envelope-from der@pc759.cs.msu.su) Message-ID: <3A0B2738.CB1D505B@pc759.cs.msu.su> Date: Thu, 09 Nov 2000 22:37:44 +0000 From: Alexander Derevyanko X-Mailer: Mozilla 4.72 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: Jeremy Vandenhouten Cc: FreeBSD.ORG!questions@pc759.cs.msu.su Subject: Re: DNS Setup References: <4885c848ca8c.48ca8c4885c8@marquette.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Jeremy Vandenhouten wrote: > > In setting up 1 of the 2 dns servers required for taking control of a > domain. Is setting up one behind a firewall constitute a valid option? > More info to follow: > > Lucent Router ------ FreeBSD NAT firewall --------- DNS Server > > I know I need to tell the firewall to redirect port 53 both forwards > and backwards for the DNS server. > > A case in point, assuming I was on the outside of the Lucent Router and > wanted to use the internal DNS server (192.168.x.x) from another > FreeBSD box, where would I point it at because obviously the DNS server > doesn't have a legitimate external "Internet IP." If you do the redirection, you will use IP of you firewall. > > The question is easy if I'm internal behind the firewall, I could just > point directly at the 192.168.x.x address, but that's not the situation > I'm looking at. Or, alternatively, is there a better way of setting > this up without putting the DNS server on the firewall machine. It is not too clever to allow everybody from whole world inspect you internal domain. Also, it is useless if you have in DNS internal IP's. Suggest next strategy: install one set of DNS servers for you legitimate IP addresses (most of all, you will need very small zone, like www.mydomain.com, ftp.mydomain.com and MX record for mydomain.com). Suggest to use you upstream provider's DNS service for this. And install completely internal DNS server, with no possibility to access from outside. Of course, all internal hosts must use you internal DNS as DNS server. > > Thanks for any input... > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message