[ previous ] [ next ] [ threads ]
 
 From:  Christiaens Joachim <jchristi at oce dot be>
 To:  "'David Cook'" <david dot cook at jetpress dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] Rule Confirmation / Access from outside local netw ork
 Date:  Wed, 11 Feb 2004 19:38:58 +0100
> -----Original Message-----
> From: David Cook [mailto:david dot cook at jetpress dot com]
> Sent: woensdag 11 februari 2004 17:35
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: RE: [m0n0wall] Rule Confirmation / Access from outside local
> netw ork
> 
> 
> >The djbdns solution would make use of alternat DNS for 
> >interior vs exterior
> >computers...
> 
> Two more possible solutions.....
> 
> Another way to get round this is to run a DNS server on your 
> LAN and create
> what is sometimes referred to as 'split-brain DNS'. 
> 
> This works by having two sets of records for your domain. One 
> for internal
> hosts on your internal DNS server, a second for external hosts on the
> internet DNS server (which you have). This allows local DNS 
> queries for the
> same hostname to resolve to an internal LAN address. 
> 
> All you need to do is setup a zone on your internal DNS for 
> your domain and
> create records that resolve to your local IP addresses behind 
> the firewall.
> Also configure the LAN DNS to forward any queries for domains 
> it doesn't
> have zones for onto your ISPs DNS servers. Configure all 
> hosts on your LAN
> to use the LAN DNS server for name resolution. 
> 
> This has a number of benefits:
> 
> - your LAN hosts can make all queries against the LAN DNS
> - hosts that are on your LAN will resolve to local addresses, 
> not public
> addresses
> - all queries are cached by the LAN DNS which speeds up 
> subsequent duplicate
> lookups
> - by forwarding queries, the LAN DNS doesn't have to resort 
> to querying the
> ROOT servers on the internet in order to resolve the IPs of 
> internet hosts
> 
> If you have no DNS server software you can find versions of 
> BIND for most
> operating systems at http://www.isc.org/index.pl?/sw/bind/. 
> Doumentation is
> on the same site.
> 
> 
> And finally a further way you could do this is by using the 
> functionality
> that Manuel has put into m0n0wall that registers the hostnames of DHCP
> clients into the DNS forwarder on the firewall. For this to 
> work you would
> need to register the MAC address of each of your hosts that 
> currently has a
> static IP address so that they were always allocated the same 
> IP address by
> DHCP from m0n0wall. 
> 
> As part of the assigning of IP addresses by m0n0wall, the 
> hostname is passed
> to DHCP and is then registered against the DNS fowarder. This sort of
> automatically does what I suggested above, however this is 
> only going to
> create the equivalent of DNS 'A' records. You would also have 
> to reconfigure
> the IP addressing on the DMZ hosts so that they used DHCP. 
> You would also
> have to make sure that m0n0wall was configured with the 
> correct domain under
> 'General Settings' as this is normally assigned by DHCP 
> (sometimes reffered
> to as DNS suffix). This also means your internal LAN would 
> have to be based
> on the same domain name as your internet accesible hosts.
> 

This can be done very simply by assigning static adresses and adding them to
your DNS-forwarder 'exception' table with the hostname (ex. 'www') and
domain ('initec.be').
No need to use DHCP and MAC-mappings.

This uses the first option you explained without the need to install an
extra bind machine.

Joachim


-----------------------------------------------
MISSION STATEMENT 
-----------------------------------------------

effectively by offering innovative print and document management products
and services for professional environments.

-----------------------------------------------
DISCLAIMER 
-----------------------------------------------
This e-mail message and any attachment are intended for the sole use of the
recipient(s) named above and may contain information which is confidential
and/or protected by intellectual property rights.
Any use of the information contained herein (including, but not limited to,
total or partial reproduction, communication or distribution in any form) by
other persons than the designated recipient(s) is prohibited.

If you have received this e-mail in error, please notify the sender either
by telephone (0032-2-729.48.11) or by e-mail and delete the material from
any computer.
Oce-Belgium/Oce-Interservices is nor responsible for the correct and
complete transfer of the contents of the sent e-mail, neither for the
receipt on due time.  This e-mail message does not bring about a contractual
obligation for Oce-Belgium/Oce-Interservices.

Thank you for your cooperation.

For further information about Oce-Belgium/Oce-Interservices please see our
website at www.oce.be

-----------------------------------------------