DNS, firewall/network design question

DNS, firewall/network design question

Post by Struggle » Fri, 21 Mar 2003 05:00:58



I'm at an impasse, and I could use some help. I'm not sure if this is the
proper place to post this question, so if there's a more appropriate place,
please let me know.

I'm trying to set up a server that provides web and mail services for
multiple domains. This server sits in a colo facility at my ISP. The box I'm
using is running FreeBSD 4.7, and Apache 1.3.27. I don't seem to have any
problem providing web services with this machine. However, I am having DNS
issues. The web server machine is behind a firewall running OpenBSD 3.2.

The firewall has three interfaces, and was originally configured to only
protect a web server that is part of one of my companies' domain (abcde.com,
for reference purposes). That has worked great for years. Public DNS for
abcde.com has been served from a firewall appliance at the corporate
headquarters, and I have tried to keep the services provided by the firewall
machine limited to network address translation and packet filtering.

The fun starts when I add the second web server (www.uvwxyz.com, et al., for
reference), which is on a different interface, and different internal
network from the original (www.abcde.com for reference). I have the outside
interface of the firewall dual-homed, so it is receiving packets for both IP
blocks (a.b.c.d/25 and w.x.y.z/29 respectively. I believe I have the IP
network addresses translated correctly, with appropriate ports re-directed,
and packets filtered.

The question I have is, what's the appropriate way to do DNS for uvwxyz.com,
and whatever other domains I may end up providing web and mail services for?

My first thought is to run named on the web server box (www.uvwxyz.com), but
I am having trouble getting the outside world to see that box as a DNS
server.
Then, I thought I might serve DNS from the firewall box, but I'm reluctant
to have that box perform any other services for both security and
performance reasons, though I don't have any specific knowledge to support
my concerns. I need to maintain a high level of security, and I hope to have
lots of traffic (don't we all), so I want to maintain a high level of
performance.

Let me know if I've left out any important information, or need to clarify
anything. I've been working on this for a few days now, learning as I go,
and I've reached a point where I'm quite confused. I appreciate any help
anyone may offer.

 
 
 

DNS, firewall/network design question

Post by M Khom » Fri, 21 Mar 2003 10:10:40



> I'm at an impasse, and I could use some help. I'm not sure if this is the
> proper place to post this question, so if there's a more appropriate place,
> please let me know.

Considering you're not asking an obsd-specific question, you may fare
much better at one of these groups:
    comp.protocols.dns.bind
    mailing.unix.bind-users

Quote:> I'm trying to set up a server that provides web and mail services for
> multiple domains. This server sits in a colo facility at my ISP. The box I'm
> using is running FreeBSD 4.7, and Apache 1.3.27. I don't seem to have any
> problem providing web services with this machine. However, I am having DNS
> issues. The web server machine is behind a firewall running OpenBSD 3.2.

> The firewall has three interfaces, and was originally configured to only
> protect a web server that is part of one of my companies' domain (abcde.com,
> for reference purposes). That has worked great for years. Public DNS for
> abcde.com has been served from a firewall appliance at the corporate
> headquarters, and I have tried to keep the services provided by the firewall
> machine limited to network address translation and packet filtering.

> The fun starts when I add the second web server (www.uvwxyz.com, et al., for
> reference), which is on a different interface, and different internal
> network from the original (www.abcde.com for reference). I have the outside
> interface of the firewall dual-homed, so it is receiving packets for both IP
> blocks (a.b.c.d/25 and w.x.y.z/29 respectively. I believe I have the IP
> network addresses translated correctly, with appropriate ports re-directed,
> and packets filtered.

> The question I have is, what's the appropriate way to do DNS for uvwxyz.com,
> and whatever other domains I may end up providing web and mail services for?

> My first thought is to run named on the web server box (www.uvwxyz.com), but
> I am having trouble getting the outside world to see that box as a DNS
> server.

You have to tell the zone authority (eg. netsol.com)  to look there.
Otherwise, if your ISP curates your dns, you have to make them change
their PRI servers to look at your www.wxyz.com. Since you're looking to
manage domains, I'd suggest you cut the chase and eliminate the ISP as
dns middleman.

Quote:> Then, I thought I might serve DNS from the firewall box, but I'm reluctant
> to have that box perform any other services for both security and
> performance reasons, though I don't have any specific knowledge to support
> my concerns. I need to maintain a high level of security, and I hope to have
> lots of traffic (don't we all), so I want to maintain a high level of
> performance.

> Let me know if I've left out any important information, or need to clarify
> anything. I've been working on this for a few days now, learning as I go,
> and I've reached a point where I'm quite confused. I appreciate any help
> anyone may offer.

Where you serve dns SOA has little to do with the physical location of
the subnet. The only requirement is that the  dns server is from a
public IPaddr, is always available, and has a similarly available
secondary on a different IPAddr, and hopefully different location.
NATting it to www.wxyz.com is just a waste of resources. Running dns on
obsd3.2 f/w is quite acceptable. Bind9 is recommended to support the
internal/external views of your domains at the firewall.

DNS is also distributed by design, and zone authorities tend to pick up
your SOA and resource records and distribute them to the world for you.
What performance you need concern yourself more with is number of
internal users requesting external lookup queries.

Typical solutions you'll find is to run (under bind9) internal DNS
servers that cache for popular sites. So for example if your users
interact with m$ extensively you will run a dns for microsoft.com that
obviates frequently quering to the outside. Other sites arrange with
their ISP to maintain their scrubbed dns image of say pix.biz to also
block visibility of say xxx.pix.biz etc...

MK

 
 
 

1. DNS setting & Network Design

Dear All,

I have register my own DNS in Directnic.
IP   : 202.123.123.123
Host : ns1.sample.com

Here is my Setting
1.) I set up firewall
    IP 202.123.123.123 NAT (Port 53)  => 192.168.1.5
    IP 202.123.123.123 NAT (Port 110) => 192.168.1.6
2.) I set up one Linux Bind in one PC (host name:ns1.sample.com, ip
    is 192.168.1.5

In BIND record
sample.com
NS1    A   202.123.123.123
MX     5   mail.sample.com
mail   A   202.123.123.123

Am I right? can i resolve the ns1.sample.com??

2. Server Side Include setup

3. dsl & firewall design question

4. ftp sites for Solaris 2.5

5. Network design question.

6. shadow password

7. Network application design question

8. I just can't install...

9. Network design question.

10. Network Design questions

11. Network application design question

12. A Network design question...

13. Advice needed for network planning (Firewall, Proxy, DNS, DHCP, SMB, FTP, HTTP, SSH, VPN)