Search Again: Re: Splitting across 2 macs/firewall From: Men & Mice Support Date: Sunday, September 9, 2001 Time: 7:13:57 pm At 2:49 PM -0700 9/7/01, Deborah Sherwood wrote: >Hello, > >Not even sure if this is do-able but I'd like to have >www.mydomainname.net on one server and private.mydomainname.net on a >server located behind a firewall. > >I've configured the firewall okay - I can get to the site (behind the >firewall) using the IP number and path when I'm in the office just fine. >When I'm out of the office I can get to the site using the IP address of >the Router (which then ports to the server). > >What I don't know how to do is set up the DNS records in QDNS and also >the virtual domain information in WebStar. (so I don't have to type the >IP numbers/path rather just the private.mydomainname.net) An A record can only refer to a single IP address; using multiple A records will not achieve your stated goal. If your firewall/NAT server supports a mechanism to let an internal workstation access an internal server by the router's IP address, then you can do what you want easily. If not, you're going to have problems. The work-around is to somehow differentiate between internal data and public data. There are many ways to do this. Here are three separate options you might want to consider: 1. Use different names for your internal and public IP addresses. For example, if you want "private.mydomainname.net" to only be resolvable from inside your firewall, then you've already split your data this way. 2. Use different zones for your internal and public IP addresses. For example, you might use "mydomainname.net" for the outside world, and then use "mydomainname.lan" when you're inside the firewall. 3. Use different DNS servers for internal and public use. The public DNS servers don't need to answer recursive queries; these are the servers listed in the zone delegation (i.e. these are the ones you use when you register the domain). The internal workstations are configured to use the internal servers, so that they get the internal IP addresses of your machines. Each of these three work-arounds essentially doubles the effort involved in maintaining your DNS data. So using a NAT server that includes another solution is preferable. Unfortunately, very few NAT servers do so. - IPNetRouter has an option for this. They call it "local NAT". They have a very good explanation of the problem on their website. - Netopia routers, I'm told, incorporate such a feature. - IPtables, a standard Linux feature (kernel version 2.4.x), can be configured for this, I believe, though I've never done so. - Some Cisco NAT servers offer a different solution, where the DNS data is translated as it passes through the firewall. This works well except for zone transfers, for which it fails utterly. ____________________________________________________________________ Chris Buxton Men & Mice cbuxton@menandmice.com We Make DNS Easy!

Messages In This Thread: Splitting across 2 macs/firewall by Deborah Sherwood on Sep 8, 2001 at 12:24:07 pm Re: Splitting across 2 macs/firewall by Cali on Sep 8, 2001 at 12:38:01 pm Re: Splitting across 2 macs/firewall by Men & Mice Support on Sep 9, 2001 at 7:13:57 pm