'Re: [Sidewinder] Internal Hosts resolving external names and split,'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sidewinder
Subject:    Re: [Sidewinder] Internal Hosts resolving external names and split,
From:       Sidewinder moderated discussion list <sidewinder () adeptech ! com>
Date:       2007-02-09 22:28:44
Message-ID: 001c01c74c99$a8ff0120$0201a8c0 () lordchariot ! com
[Download RAW message or body]

As a general rule, I see most people forwarding their internal name servers
to the unbound (internal) interface on the firewall. This is what the
firewall was designed for.

The subsequent chaining of internal to external is by design after that and
you don't need to worry about it.
The only other decision you make is of you forward the external internet
side to an ISP name server or go to the root servers instead...you're
choice.

-----Original Message-----
From: sidewinder-bounces@adeptech.com
[mailto:sidewinder-bounces@adeptech.com] On Behalf Of Sidewinder moderated
discussion list
Sent: Friday, February 09, 2007 4:53 PM
To: 'sidewinder@adeptech.com'
Subject: [Sidewinder] Internal Hosts resolving external names and
split,hosted DNS (lo ng)

Our firewall currently runs split, hosted DNS ("unbound" for the
non-internet burbs and "internet" for the external internet burb).

As is usual, the unbound internal server is set up to identify the internet
name server in its forwarders list (actually 4 times - for retries), and set
as forward-only (since the internal burb has no direct outside access).

Currently our DNS is set up with a number of internal name servers that are
*not* forwarders, that most workstations and servers use.  At various times
they have either been disconnected (respond for their authoritative domains
only) or set up as internal roots.  Devices that needed to resolve external
names pointed at our firewall's internal name server.

That worked, and had some advantages for us, but is an issue when a
workstation inside needs to locate a service via DNS (to use a "transparent"
proxy).  This didn't happen very often in the past (most things use HTTP,
and we proxy that), but has been happening with increasing frequency and
inconvenience.  (The "real world" can be annoying for security types.... 8^)
).

So, we are considering setting things up so that workstations can resolve
external names.  

The language in the manual on page 315 under "Configuring the internal
network to use hosted DNS" says "If you are going to use transparent proxies
[note: this means application proxies, not DNS proxies] to provide Internet
services to your internal users, ...  (Second bullet) Point client
workstations to one or more internal name servers ... authoritative for the
internal domain and configured as slave forwarders, with the Sidewinder G2
forwarding destination".  [The first bullet is the option of pointing all
your clients to your Sidewinder, which is not practical for us for several
reasons.]

This brings up a question:  Which Sidewinder name server should be the
forwarding destination?  The intuitive first gut reaction would be for it to
be the unbound (internal name server).  But: when using split, hosted DNS on
Sidewinder, the internal (unbound) name server is itself a forwarder to the
external (Internet) name server.   Then one picks up O'Reilly DNS and BIND
which reads, in part "Avoid chaining your forwarders.  Don't configure
server A to forward to server B, and configure server B to forward to server
C".  So, these two guides are in conflict.    Unfortunately, the O'Reilly
book does not explain *why* chaining is a bad idea .

One thought is that it of course creates single points of failure.  Well,
that is kind of what firewalls are about, isn't it.  So that would be a
non-issue.    Frankly, I can't think of anything else, off-hand.

The other alternatives that occurred to me are not very attractive.  One
would be to give our internal name servers access to the Internet to resolve
names.  That would expose the internal name servers to some nasty things.
The other would be to have them forward their queries to the external name
server, via a packet filter (can't use a proxy, since the unbound server is
already listening on port 53!).  That seems kind of silly too.

So, what are folks generally doing out there for this?  Are folks generally
chaining forwarders when they have a fair number of internal name servers?
(we have on the order of a dozen of them).

Thanks.

JRJ
_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder

_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder
[prev in list] [next in list] [prev in thread] [next in thread] 