Question : IPs for Public DNS behind Firewall

I have a primary and secondary DNS behind a firewall. The NIC for these servers has private IPs (10.x.x.x). The firewall maps the public IPs to the private internal IPs.

This DNS is for web and email servers.

I have some other open questions on here and it is all starting to make sense now.

After researching, I think I understand that all the DNS records should have my public IPs. Then, my firewall will point them to the internal IPs.

So, my setup is as follows. Let me know if this is correct:

1) DNS server NIC has internal IPs (10.x.x.x)
2) This server is pointing to itself as a DNS server (in the NIC)
3) All DNS records are my external IPs
4) If the server itself needs to lookup domains outside of my domain (e.g. windows update), I have the forwarder set to use the firewall DNS proxy option. So, this IP is the internal IP of the trust side of my firewall. The firewall then has the ISPs DNS IPs in the proxy setup.
5) The firewall translates the external IPs to the Internal IPs

When I started to set this up, I used internal IPs for the DNS records and that did not work. Mail was bouncing etc because I was returning internal IPs. I guess in the beginning I thought using external IPs in the DNS behind the firewall was not good. But, I learned from an open question here that this is what I had to do to solve my mail server issue. Then I thought perhaps all my DNS records should have external IPs.

Is the above assumption correct?

Answer : IPs for Public DNS behind Firewall

Hey again :)

If you're hosting a public DNS service the service should only return information that's relevant to the outside world. Internal IP addresses aren't so shouldn't be used within DNS itself.

Perhaps the most important records are the NS and SOA records. These should only link to Host (A) records that point to public IP addresses.

Going through your config:

> 1) DNS server NIC has internal IPs (10.x.x.x)

Absolutely fine, it needs to be able to talk on the internal network and to the router / firewall.

> 2) This server is pointing to itself as a DNS server (in the NIC)

Hmm this I generally don't do, but it's situational. I don't do it because I don't let public DNS servers resolve public names, they're only allowed to serve out the zones they host.

> 3) All DNS records are my external IPs

Excellent.

> 4) If the server itself needs to lookup domains outside of my domain (e.g. windows update),
> I have the forwarder set to use the firewall DNS proxy option. So, this IP is the internal IP
> of the trust side of my firewall. The firewall then has the ISPs DNS IPs in the proxy setup.

I would use the firewalls IP in TCP/IP configuration, with a caveat, this is only appropriate for stand-alone servers. If AD appears in this configuration anywhere it gets messy.

> 5) The firewall translates the external IPs to the Internal IPs

No problem :)

Chris

Random Solutions

NetGear Setup to Allow PCAnywhere Connection

Extend wireless coverage

Terminal Services Rounting Problem?

Lotus Notes sound notifications through Citrix

XP Disconnect Network Drive: Network Connection Not Found

Cisco config to allow teamed nics

Setup Group email in Outlook

Connecting wireless keyboard causes printer to not print.

Bluetooth device gets high COM port #

Server Interview Questions