Re: dns server behind a firewall?

Hi!
I only have one public address, and there was no firewall before. We just
bought the Dlink DLF-600 a few days ago, I haven t pluged it on my network
cause I wanted to be sure about the server IP switching. I just read the
manual and get the basics about "virtual server" which allows port forwarding
on the dns,mail and web incoming request.
My configuration should be somethin like this:

Internet------ Firewall ----------------Server
150.125.14.25 172.17.2.1

The only change on my dns server configuration is the public IP for a
private one?
No additional changes on my w2k dns console?

Thanks a lot Herb!

Gus Viamonte


"Herb Martin" wrote:

> "Gus" <Gus@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:A2C1CC29-BFB3-4128-BF59-13B1DFB93A16@xxxxxxxxxxxxxxxx
> > Hi again Herb!
> > You know Im a newbie on all this DNS stuff. I know It will be easier to
> give
> > it to the registrar but boss around here doesn´t agree.
>
> What are his reasons? Most people never think this through.
>
> > They just bought the
> > firewall and want me to do the job, thats why I m posting again. I am a
> > little confused about switching server IP address.
>
> You go to your registrar and fill out a form. But there is a pretty
> good chance your DNS and anything that depends on it will be
> down a few days unless you run the DNS at both addresses (old
> and new) during the switch over.
>
> Do you have two DNS servers? Does you boss realize that when
> all of your (single?) DNS servers are down most people will lose
> access to your web, email etc....?
>
> > I´m using a Dlink DFL-600 firewall which is a NAT one.
>
> The firewall specific issues you must get from the firewall (vendor
> specific) folks or from reading the manual but we can give you the
> prnciples.
>
> You map the external (firewall) address ports 53 to the internal
> (DNS server) address on ports 53.
>
> > I have to set the wan port on the firewall to
> > use a public IP, the one I got is the server´s, so Do I have to use this
> > public Ip on the switch and a private one on the server?
>
> Yes. If that is the only public address you have you must do that.
>
> In this case you don't need to change the parent registration since
> to the outside world they must use the same (old) address which
> now belongs to the firewall (and is mapped on ports 53 to the
> DNS server.)
>
> > How I register NAT external address with the parent zone ?
>
> If you have only one address that isn't necessary - I answered as if
> you had both firewall and DNS working previously (on different
> addresses.)
>
> Give the public address to the firewall and make sure you can do
> the mapping (might called "port forwarding", "port mapping",
> "define server", "defining services" or something that has the
> same general meaning...)
>
>
>
> --
> Herb Martin, MCSE, MVP
> Accelerated MCSE
> http://www.LearnQuick.Com
> [phone number on web site]
>
> >
> > Thanks a lot.
> >
> > "Herb Martin" wrote:
> >
> > > "Gus" <Gus@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> > > news:0E3A087C-1925-49D1-8DEF-6BFFB6CC3F35@xxxxxxxxxxxxxxxx
> > > > Is it possible to place my dns server behind a firewall? My DNS server
> has
> > > a
> > > > public IP address and host my two internet domains zones.
> > >
> > > Sure but the easier and more reliable (probably safer too) solution
> > > is to just move a PUBLIC DNS server back to the registrar.
> > >
> > > They have 24/7 support, Internet backbone bandwidth,
> > > industrial UPS, and at least two servers which you are
> > > supposed to have anyway.
> > >
> > > > Help will be apreciatted.
> > >
> > > Inet --- FireWall --- DNS
> > >
> > > Open UDP and TCP 53 for inbound destination and response
> > > from those ports to any outside.
> > >
> > > Give the DNS an address appropriate to the network behind the
> > > Firewall.
> > >
> > > If the firewall is a NAT you must register the NAT external
> > > address with the parent zone AND you must map the ports
> > > above from the outside to those same ports on the internal
> > > address of the DNS.
> > >
> > > It's a lot easier and safer (and usually free -- you already paid
> > > for it) to give it back to the registrar and only handle your
> > > internal DNS.
> > >
> > >
> > > --
> > > Herb Martin, MCSE, MVP
> > > Accelerated MCSE
> > > http://www.LearnQuick.Com
> > > [phone number on web site]
> > >
> > >
> > >
>
>
>
.

Relevant Pages

  • Re: DNS Server set to forwarder randomly going out to root servers
    ... We implemented the EDNS0 change to no avail. ... The firewall is actually acting as a caching DNS server. ...
    (microsoft.public.windows.server.dns)
  • Re: Can Not Ping By Name
    ... >>> Make sure there's no firewall packaged with the VPN client. ... >>DNS server is the same physical server as the Exchange, ... > Network problem solving - general advice: ...
    (microsoft.public.windowsxp.network_web)
  • Re: dns server behind a firewall?
    ... > cause I wanted to be sure about the server IP switching. ... Your DNS will be down during switchover ... No. Doublecheck that the DNS server allows queries on all ... >>> firewall and want me to do the job, thats why I m posting again. ...
    (microsoft.public.windows.server.dns)
  • Re: Connecting to Linux machine remotely
    ... The way to connect to a machine from a remote location is via ssh. ... want to connect from which queries the dns server of my ISP every 5 min ... ]> need you can forward tcp ports through ssh. ...
    (comp.os.linux.networking)
  • Re: Windows Server 2003 domain trust issue
    ... at the start of play yesterday we were lacking DNS resolution in one ... That was tracked down to the Watchguard firewall at the remote end ... checking the status of the listed ports. ... Were the trusts created in BOTH directions? ...
    (microsoft.public.windows.server.dns)
Loading