Re: dns + firewall?

From: Kevin D. Goodknecht Sr. [MVP] (admin_at_nospam.WFTX.US)
Date: 08/09/04 

Date: Mon, 9 Aug 2004 08:30:26 -0500

In news:O7e$mKhfEHA.1644@tk2msftngp13.phx.gbl,
Eric <eric@hotmail.com> wrote their comments
Then Kevin replied below:
> Ok! I reallys suck at this so slow and easy please. :-/
>
> We have a firewall (linux) that does a portforward on
> port 80 to the dmz win 2k-machine where the webb and the
> dns is located. The rest of the computers is "inside" the
> firewall, including the "main Win 2k computer" to which
> all the work stations log on.
>
> Everything works fine, external computers can access the
> dmz win 2k-machine webb fine, we can access the net from
> the inside , *but* we can only use the address
> lan.company.com (or some alias) to access the dmz win
> 2k-machine webb from the inside and *not*
> www.company.com. And that creates problems when we want
> to update our site and use absolute adresses.

Can I assume that all users are using only the Win2k that is _NOT_ in the
DMZ for DNS?
Local computers will not be able to use the DNS in the DMZ for DNS because
if I getting the picture right, it has public DNS zones.
That being said, in the DNS server for the internal LAN, create a zone named
company.com, with records for www and or whatever with the private IP of the
webserver in the DMZ.
If www.company.com is the only name you need to access on the DMZ server, I
would create a zone for that name (www.company.com), then create a blank
host with the IP of the web server in the DMZ, this will prevent the local
DNS from intercepting names that can be accessed from inside the LAN by the
public addresses. 

-- 
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
================================================
-- 
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
================================================
http://www.lonestaramerica.com/
================================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
================================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
================================================

Relevant Pages

  • RE: [fw-wiz] Backup exec agent in dmz
    ... named.conf file and the zonefiles off the the NT box in the DMZ. ... on the Apache server, ... backup tape library in this DMZ and backup all your servers to the new DMZ. ... what do you really need to back up on the DNS and web servers? ...
    (Firewall-Wizards)
  • Re: Member Server Login Slow DMZ-Internal Subnet
    ... But did I mention that the firewall log showed a successful port 53 ... connection to each DC from the DMZ machine? ... the DMZ machine is the closest AD DC DNS. ... Member Server which was originally installed in the internal subnet ...
    (microsoft.public.win2000.security)
  • Re: DNS ausgehend mit verweigerten Paketen.
    ... Es wird von Extern Port 53 auf intern Port z.B. 4017 verweigert. ... der DMZ nicht stimmt, z.B. falsche Subnetzmaske usw.. ... MVP ISA Server ... Leider funktioniert schon der einfache nslookup bzw. dns request nicht. ...
    (microsoft.public.de.german.isaserver)
  • RE : Securing DNS Server
    ... Your external DNS should not be a secondary of your internal server. ... about the internal AND DMZ server. ... Initially we only had Port 53 Access to this Server from ...
    (Security-Basics)
  • Re: Member Server Login Slow DMZ-Internal Subnet
    ... > connection to each DC from the DMZ machine? ... The only DNS server specified ... > the DMZ machine is the closest AD DC DNS. ... >>> AD across the firewall. ...
    (microsoft.public.win2000.security)