|
Question : DNS behind firewall
|
|
Hi, I recently set up a new internet connection for a small enterprise, (cisco1700, t1, Watchguard Firebox) put the whole thing behind a Watchguard firewall,Web hosting, email.etc. Now the world can see all my stuff and I have configured the firewall properly everthing works great etcetc...no Lan clients can access the web site being hosted internally...they can hit everything else in the world just fine!The firewall views anything coming from 192.168.X.X private subnets as a spoof attack and so denies the request.The firewall vendor says "I need to set up internal DNS"....?...First a few bits of info: I configured a DHCP scope for client IP addys and pointed everyone to my ISPs DNS for name resolution..Prior to my arrival here, the old admin had set up and configured the primary and secondary domain controllers as "root" DNS servers (according to Microsoft anyway)...after reading about the MS DNS and Win2K active directory I am a bit confused how that works as opposed to real world DNS/BIND with which I am somewhat more familiar. How do I enable LAN clients to hit our own web site internally?(please dont say go to 192.168.x.x ..the links on the site all point to real world links underneath the root directory of the www machine and will break..but yes you can get there using the ip of that machine) There seem to be several differnet ways around this but my main question is "DO I have to have a DNS machine on a registered public IP relaying DNS queries to solve this problem? I have a block of registered addys I can use to set up an external machine and then NAT the DNS requests through my firewall but then what? Do I use DCHP to have the client pick up the info from inside the public address and configure this external DNS machine as a forwarder to my ISPs primary and secondaries...??? YIKES! OUCH..I know this has to be an easy question for those of you that have connected secured enterprise LANS to the INTernet...any help is appreciated.
thanks in advance
FESTUS
|
Answer : DNS behind firewall
|
|
Yes, you have to make an internal DNS server. Yes, what is seen by the outside is different than seen by inside. I know of no way to ensure the host header translation done by the firewall is the same as that seen from inside. Only many workaronuds. DHCP is not related to the problem, just another way of setting the clent's values.
|
|
|
|