Search Again: Re: DNS Management Policy From: Philip Butler Date: Tuesday, March 20, 2001 Time: 10:00:48 am If I have a web server with a public IP address, will I be required to make an entry on the private for any purpose? Or should I have both DNS servers selected as resolvers for my workstation? Philip -----Original Message----- From: quickdns-talk@lists.menandmice.com [mailto:quickdns-talk@lists.menandmice.com]On Behalf Of Men & Mice Support Sent: Tuesday, March 20, 2001 1:08 AM To: QuickDNS Talk Subject: Re: DNS Management Policy At 12:46 AM -0600 3/20/01, Philip Butler wrote: >Thanks for your response. > >We have a PIX firewall that does all the NATing. If I have a device >that is statically NATed from a public IP to a private IP...like a >web server. How would I set up the records appropriately on the >public and private DNS servers? Say it was www.domain.com, >168.48.150.6 (public) and 10.10.10.6 (private). The whole world >needs to be able to access this server. If I assign a private IP to >the box and I tell the world (with DNS) that it's at a public IP >address...how do I point from the public DNS to the private DNS to >get the appropriate resolution? What records should be set up for >this device? or am I even on a feasable track? In the public records, create this A record: www.domain.com. A 168.48.150.6 In the private records, create this A record: www.domain.com. A 10.10.10.6 It sounds like you have the NAT server already set up, so it will forward connections from the public address to the private address; the public never sees the private IP address in the DNS records. Your private DNS records are never consulted in this process. They are used only for internal users trying to connect to the web server; for them, the public records are never consulted. Also, make sure that you have a reverse zone for your private addresses, on the private server. WebSTAR will want to see a PTR record for 10.10.10.6, and preferably one that resolves to www.domain.com. >Is it a better policy with a firewall in place that NATs almost >everything to assign private IP's to all devices inside of the >network and statically map them to a public IP at the firewall? or >is this overkill and a waste of my time for things like web servers. >Should I just use public IP's straight through for anything I want >the world to have access too? That's up to you. If you're just going to map public address to private address, for all ports, then I don't see how it makes any sense to use private addresses for servers. However, one thing you can do with NAT is, using a single public address, split your services across multiple servers. Thus, have the incoming SMTP server on one machine, the web/ftp server on another machine, and DNS on a third. To the outside world, it all looks like one server. ____________________________________________________________________ Chris Buxton Men & Mice cbuxton@menandmice.com We Make DNS Easy! >---------- Original Message ---------------------------------- >From: Men & Mice Support <cbuxton@menandmice.com> >Reply-To: "QuickDNS Talk" <quickdns-talk@lists.menandmice.com> >Date: Mon, 19 Mar 2001 21:25:14 -0800 > > >At 2:28 PM -0600 3/19/01, Philip Butler wrote: > >>I have a question of inexperience and would be incredibly grateful for any > >>response or information you might have to offer me. I am administrating a > >>network behind a firewall. I have a public QDNS server and a private QDNS > >>server. > >> > >>How is this type of set up supposed to be configured? > >> > >>I am familiar with configuring a DNS server however, I'm not sure that I > >>understand how this setup is suppose to work...or what would be the ideal > >>configuration. > >> > >>On my private DNS server it contains all the DNS info for our private > >>devices and (what's weird to me) is the Public DNS contains a lot of the > >>same info AND public IP info? > >> > >>Thanks ahead of time. Any info on how this network should be set up would > >>be appreciated. Thanks > > > >Any records you want the public to be able to see, put on the public > >server. Make sure to use public IP addresses in these records, not > >any private IP addresses that the public can't route to. > > > >Any records that you want your internal users to see, put on the > >private server. Make sure to use IP addresses that internal users can > >route to - if you're using a NAT server that doesn't support local > >NAT, you'll need to use your internal IP addresses for your private > >records. > > > >I'm afraid that's the only answer I can give based on the information > >you've provided. If you want me to be more specific, you'll have to > >be more descriptive of your setup. > >____________________________________________________________________ > >Chris Buxton Men & Mice > >cbuxton@menandmice.com We Make DNS Easy! > > > >

Messages In This Thread: DNS Management Policy by Philip Butler on Mar 19, 2001 at 12:24:21 pm Re: DNS Management Policy by Men & Mice Support on Mar 19, 2001 at 9:26:55 pm Re: DNS Management Policy by Philip Butler on Mar 19, 2001 at 10:54:39 pm Re: DNS Management Policy by Men & Mice Support on Mar 19, 2001 at 11:09:19 pm Re: DNS Management Policy by Philip Butler on Mar 20, 2001 at 10:00:48 am Re: DNS Management Policy by Men & Mice Support on Mar 21, 2001 at 3:18:07 am