If you want to run you own DNS server which is authoritative for your
domain, it must be on a box with a public IP.  You cannot put it behind a
firewall that does NAT.  Apparently Bind 9 was supposed to have something
which would allow it to serve out responses to queries if it was being
NAT'd, but I haven't heard much about it.

Jay



-----Original Message-----
From: andy at theasis.com [mailto:andy at theasis.com]
Sent: Tuesday, November 21, 2000 10:13 PM
To: tclug-list at lists.real-time.com
Subject: Re: [TCLUG] firewall followup: DNS server


> As I mentioned previously, I think I'll go with this setup. What if I want
> to run my own DNS? Does that change things? If the 675 is getting my
static
> IP and asigning a private IP to the firewall, how will DNS work? Will I
have
> to buy an additional IP or two in order to act as my own primary DNS?

Well, you probably can't buy a single IP -- chances are you'll have to go
with a block of 8 (a /29), 6 of which are usable. 

The answer to the DNS question depends on which computers will use it. 

If you want the world to see those names, you'll likely have to get a
block of IPs to assign to the hosts that will get them (i.e., the web
server in the DMZ, and anything else you put out there). Also potentially
visible to the world is the exterior-facing interface of your linux
firewall. But it's preferable to keep that obscure, and unnamed. 

The other use for DNS in your setup is on the internal, private network.
If you just want computers in there to know each other, you can set up a
nameserver that maps names to the LAN hosts. Of course it can also serve
those hosts by performing/caching lookups on domains out in the cloud,

You can come up with a mixture of these two strategies. One approach worth
understanding was explained in a recent Linux Journal article (maybe 2 or
3 months ago?)

Andy 

> 
> -Tim
> 
> --
> Tim Wilson      | Visit Sibley online:         | Check out:
> Henry Sibley HS | http://www.isd197.k12.mn.us/ | http://www.zope.org/
> W. St. Paul, MN |                              | http://slashdot.org/
> wilson at visi.com |   <dtml-var pithy_quote>     | http://linux.com/
> 
> _______________________________________________
> tclug-list mailing list
> tclug-list at lists.real-time.com
> https://mailman.real-time.com/mailman/listinfo/tclug-list
> 

_______________________________________________
tclug-list mailing list
tclug-list at lists.real-time.com
https://mailman.real-time.com/mailman/listinfo/tclug-list