[ previous ] [ next ] [ threads ]
 
 From:  David Cook <david dot cook at jetpress dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] Rule Confirmation / Access from outside local netw ork
 Date:  Wed, 11 Feb 2004 16:35:27 -0000
>The djbdns solution would make use of alternat DNS for 
>interior vs exterior
>computers...

Two more possible solutions.....

Another way to get round this is to run a DNS server on your LAN and create
what is sometimes referred to as 'split-brain DNS'. 

This works by having two sets of records for your domain. One for internal
hosts on your internal DNS server, a second for external hosts on the
internet DNS server (which you have). This allows local DNS queries for the
same hostname to resolve to an internal LAN address. 

All you need to do is setup a zone on your internal DNS for your domain and
create records that resolve to your local IP addresses behind the firewall.
Also configure the LAN DNS to forward any queries for domains it doesn't
have zones for onto your ISPs DNS servers. Configure all hosts on your LAN
to use the LAN DNS server for name resolution. 

This has a number of benefits:

- your LAN hosts can make all queries against the LAN DNS
- hosts that are on your LAN will resolve to local addresses, not public
addresses
- all queries are cached by the LAN DNS which speeds up subsequent duplicate
lookups
- by forwarding queries, the LAN DNS doesn't have to resort to querying the
ROOT servers on the internet in order to resolve the IPs of internet hosts

If you have no DNS server software you can find versions of BIND for most
operating systems at http://www.isc.org/index.pl?/sw/bind/. Doumentation is
on the same site.


And finally a further way you could do this is by using the functionality
that Manuel has put into m0n0wall that registers the hostnames of DHCP
clients into the DNS forwarder on the firewall. For this to work you would
need to register the MAC address of each of your hosts that currently has a
static IP address so that they were always allocated the same IP address by
DHCP from m0n0wall. 

As part of the assigning of IP addresses by m0n0wall, the hostname is passed
to DHCP and is then registered against the DNS fowarder. This sort of
automatically does what I suggested above, however this is only going to
create the equivalent of DNS 'A' records. You would also have to reconfigure
the IP addressing on the DMZ hosts so that they used DHCP. You would also
have to make sure that m0n0wall was configured with the correct domain under
'General Settings' as this is normally assigned by DHCP (sometimes reffered
to as DNS suffix). This also means your internal LAN would have to be based
on the same domain name as your internet accesible hosts.


JET PRESS LIMITED
Nunn Close
Huthwaite
Nottinghamshire
NG17 2HW
UK

Web:	www.jetpress.com
Tel:	+44-1623-551 800
Fax: 	+44-1623-551 175


Confidentiality Notice 
This message and its contents are confidential.  The contents are solely for the attention of the
recipient(s) named above and any unauthorised disclosure, copying or distribution is forbidden.  If
you are not the recipient named above, please contact the sender immediately and destroy this
message.  The views expressed in this message are those of the sender and not necessarily those of
JET PRESS LIMITED.