Nachman Yaakov Ziskind
2003-Sep-15 10:33 UTC
[Shorewall-users] Dual DNS (was: fw2net DROP messages)
> Message: 7 > Date: Sun, 14 Sep 2003 19:37:52 -0700 (Pacific Daylight Time) > From: Tom Eastep <teastep@shorewall.net> > Subject: Re: [Shorewall-users] fw2net DROP messages > To: Shorewall Users Mailing List <shorewall-users@lists.shorewall.net> > Message-ID: <Pine.WNT.4.55.0309141936580.516@TIPPER.shorewall.net> > Content-Type: TEXT/PLAIN; charset=US-ASCII > > On Fri, 12 Sep 2003, bogy wrote: > > > Hi all > > I have been away, that why i did not reply. > > I have made recusion = no in a DNS, but then none of our "internal" clients > > could go anyware on the net, most likly because the dns did not provide our > > resolved-IP. I have checked that we have > > ACCEPT loc net udp 53 and > > ACCEPT loc net tcp 53 > > rules in the rules file > > > > We need : > > 1. outside computers to resolve our domains like emis.com.au centre.net.au > > stainedglassshed.com > > 2. internal computers to resolve internet addresses > > 3. dialup customers to use dns for browsing > > > > Can I in the view of those two points set recursive lookups to no? > > Do I need to do anything else for DNS to go through the fw? > > > > I use Bind 9 "Views" to allow recursive resolution for internal clients > while preventing it for external clients. The Shorewall Setup Guide gives > details. > > -TomAnd if you''re one of those poor souls running SCO Open Server (SCO only provides BIND 8.2.2-P7) :-) you need to run two different instances. They need to listen on different ports, so the "external" one needs to run on something other than port 53, therefore you need a DNAT rule so that requests from the outside get shunted to the mystery port. Works well here. -- _________________________________________ Nachman Yaakov Ziskind, EA, LLM awacs@egps.com Attorney and Counselor-at-Law http://ziskind.us Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants