Solved

DNS behind firewall

Posted on 2001-08-27
24
749 Views
Last Modified: 2013-11-30
Hi, I recently set up a new internet connection for a small enterprise, (cisco1700, t1, Watchguard Firebox)
put the whole thing behind a Watchguard firewall,Web hosting, email.etc. Now the world can see all my stuff and I have configured the firewall properly everthing works great etcetc...no Lan clients can access the web site being hosted internally...they can hit everything else in the world just fine!The firewall views anything coming from 192.168.X.X private subnets as a spoof attack and so denies the request.The firewall vendor says "I need to set up internal DNS"....?...First a few bits of info:
I configured a DHCP scope for client IP addys and pointed everyone to my ISPs DNS for name resolution..Prior to my arrival here, the old admin had set up and configured the primary and secondary domain controllers as "root" DNS servers (according to Microsoft anyway)...after reading about the MS DNS and Win2K active directory I am a bit confused how that works as opposed to real world DNS/BIND with which I am somewhat more familiar.
How do I enable LAN clients to hit our own web site internally?(please dont say go to 192.168.x.x ..the links on the site all point to real world links underneath the root directory of the www machine and will break..but yes you can get there using the ip of that machine)
There seem to be several differnet ways around this but my main question is "DO I have to have a DNS machine on a registered public IP relaying DNS queries to solve this problem? I have a block of registered addys I can use to set up an external machine and then NAT the DNS requests through my firewall but then what? Do I use DCHP to have the client pick up the info from inside the public address and configure this external DNS machine as a forwarder to my ISPs primary and secondaries...??? YIKES! OUCH..I know this has to be an easy question for those of you that have connected secured enterprise LANS to the INTernet...any help is appreciated.

thanks in advance

FESTUS
0
Comment
Question by:FestusTheMule
  • 9
  • 8
  • 4
  • +2
24 Comments
 
LVL 55

Accepted Solution

by:
andyalder earned 25 total points
ID: 6429496
Yes, you have to make an internal DNS server.
Yes, what is seen by the outside is different than seen by inside. I know of no way to ensure the host header translation done by the firewall is the same as that seen from inside. Only many workaronuds. DHCP is not related to the problem, just another way of setting the clent's values.
0
 
LVL 2

Assisted Solution

by:bsadlick
bsadlick earned 25 total points
ID: 6429534
The real problem is getting the inside client to see the inside IP address of the web server. No forwarders necessary, just set up the internal DNS zone with the name of the external DNS, and point the IPs appropriately.
0
 

Author Comment

by:FestusTheMule
ID: 6429683

andyalder:
So the most common configuration choice for this is to set up a native internal server (say a w2k dns server?!) and point it to the isps primary and secondary? I have thought this to be the most logical approach..as I mentioned there is currently a somewhat defunt W2k DNS server with the services running-it appears to be configured to act as a primary itself and apparently serves no real world DNS funtions, I am hesitant to mess with it though as the Win2k DNS is integrated with the active directory stuff..should I reconfigure this DNS server to serve as mentioned above? ALso you said that an internal server is needed...not an external..my question still stands: Do I have to have a DNS machine on a registered public IP relaying DNS queries between the ISP and the internal private network? I am aware of the function of DHCP but am confused as to whether the LAN clients using DNS for Microsoft Active Directory related LDAP function will get hosed? Should I post this in a Win2k forum instead? ugg.please advise.

bsadlick:No this isnt the real problem. As I stated, the internal web addy of the server is accesible by the clients.IE;you can type 192.168.x.webhostip and it will pop up the index.html page.Zone transfers would have to occure through my firewall as I mentioned. Queries are UDP but zone transfers are TCP based...correct? In order to accomplish this I would need to allow for specific TCP and UDP traffic from this DNS machine to the outside world....
AndyAlder: Would it be a securiy risk to do so? The machine I mentioned which has the DNS w2k thing on it is also the Primary domain controller for this internal domain...seems a bit risky to me.

FESTUS
0
 
LVL 55

Expert Comment

by:andyalder
ID: 6429827
Scares me shitless having all my microsoft internal windows clients names registered on the same server that looks after my companies public internet sites. But the split DNS firewalls can't cope with M$'s buggered about naming schemes. Using 2 isolated namespaces until the firewall makers can support the namespaces now that both are on the same ports. godnight.
0
 
LVL 2

Expert Comment

by:bsadlick
ID: 6429835
I think you misunderstood what I was saying. The external world sees www.mydomain.com as 123.123.123.5, and the internal world WANTS to see it as 192.168.0.5, right?

If that is the case, then you do need an internal DNS server responding to requestes for mydomain.com. Only the internal clients should be able to get to it. And you don't want the internal clients to see the "external" mydomain.com DNS, because they won't resolve the correct IP.
0
 
LVL 2

Expert Comment

by:bsadlick
ID: 6429853
BTW, zone transfers definitely happen using TCP, queries can happen either TCP or UDP, I think that recently the favorite is TCP.
0
 
LVL 2

Expert Comment

by:bsadlick
ID: 6429864
BTW, zone transfers definitely happen using TCP, queries can happen either TCP or UDP, I think that recently the favorite is TCP.
0
 

Author Comment

by:FestusTheMule
ID: 6429903
bsadlick: Yes Yes Yes! this is the deal..now: How the heck do I configure the little W2k DNS server which currently provides MS specific services to LAN clients to also respond to these requests for www.mydomain.com? Didnt yoy say i dont need to set this little dude up as a forwarder? Thats good because the option to do so is greyed out and it says "cannot do this because this machine is a "root" server" etc. do I just create another "ZONE" on this dns machine and point it to the ISPs DNS? If so, how? Do Ih ave to reconfigure the machine and AD to support this?
ugg....thanks for all your input.
0
 

Author Comment

by:FestusTheMule
ID: 6429940
NONONO. SEe the thing is that if I do that I have to have those ports open on my firewall to allow for transfers and quieries between w2k DNS internal server and the ISPs machines....correct? SO, in essence I have to open my firewall to my domain controllers for this to occur.....?!?? ugg.
0
 

Author Comment

by:FestusTheMule
ID: 6429964
NONONO. SEe the thing is that if I do that I have to have those ports open on my firewall to allow for transfers and quieries between w2k DNS internal server and the ISPs machines....correct? SO, in essence I have to open my firewall to my domain controllers for this to occur.....?!?? ugg.
0
 
LVL 2

Expert Comment

by:bsadlick
ID: 6429980
You will need two separate boxes, since you are configuring the same zone name. In w2k, you add a standard primary zone, select forward lookup, give it the domain name, and finish. Add the host record for the web server, and then point your internal clients to use that DNS server. If you have other internal domain names, they must all reside on that internal DNS server.

I understand that BIND will allow you to configure different responses to a query based on the source IP address. That would make the requirement for a second DNS server unnecessary. I am trying to verify that now.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 2

Expert Comment

by:bsadlick
ID: 6429997
I agree with andyalder. Put just a DNS box on the outside, and don't let anybody touch your DC on the inside. That would be too scary having your internal M$ server hanging out in the breeze.
0
 
LVL 55

Expert Comment

by:andyalder
ID: 6430098
>>the option to do so is greyed out and it says "cannot do this because this machine is a "root" server.

Delete the zone file (folder) called '.' and actions -> refresh. But do this with a seperate box than that that is authoratitive for your namespace. Hocus pocus.
0
 

Author Comment

by:FestusTheMule
ID: 6430172
OH WOW. Now let me get this all straight:

bsadlick said: "you do need an internal DNS server responding to requests for mydomain.com. Only the internal clients should be able to get to it."

I agree with this. This is what I am after.

bsadlick also said: "And you don't want the internal clients to see the "external" mydomain.com DNS, because they won't resolve the correct IP." .

If this is the case then how do these same clients resolve other names on the internet? .....??.....Even if they do resolve the "correct" (meaning private class ip) they will be denied access based on a current firewall rule which as I stated earlier filters out private class addys as spoof attacks.

bsadlick also said: "I agree with andyalder. Put just a DNS box on the outside, and don't let anybody touch your DC on the inside. That would be too scary having your internal M$ server hanging out in the breeze."

I also agree with this...kind of would defeat the purpose of worrying with security at all!  SO

Now, if that is the case then all previous advice concerning configuring the win2k machine in any fashion for this purpose is too be forgotten...correct?

Which leaves me back with me original question and possibly several more:

1.Do I have to have a DNS machine on a registered
public IP relaying DNS queries between the ISP and the internal private network THROUGH MY FIREWALL.

2.How do my clients get this information and the Win2k Active Directory information provided by the domain controller machine

3.what configuration specifics would be required of this external DNS machine?
0
 
LVL 2

Expert Comment

by:bsadlick
ID: 6431841
1. Not through your firewall. Put it outside your firewall, and only run DNS on it. Do not make it part of your internal authentication. It should only have information on it that you don't mind giving away.

2. The internal DC can continue serving up name resolution and user authentication, but it needs to point to the internal address of your web server to avoid the spoof attacks and routing nightmares.

3. Only run DNS on the outside box. Turn off all other protocols and applications. This box WILL be probed and possibly attacked, so keep that in mind when you set it up.

And to answer your earlier questions about how clients will resolve other outside names, that is the function of the "." namespace and the root.cache file. Assuming you have not made a "." zone, then your DNS servers will get the info they need from the DNS hierarchy. Essentially, if your DNS server does not know the answer to a query, it will ask the "." servers for the name server for the domain that you are trying to reach. Once it has the name server, then it will ask for a particular address from that name server. Once it has that address, it will cache that address for the TTL period so that it doesn't have to ask again repeatedly.

You may need to allow OUTBOUND DNS queries (both TCP and UDP) on your firewall.

Did this help?
0
 

Author Comment

by:FestusTheMule
ID: 6432446
bsdalick: things are getting clearer! given what you just said above, I am not sure at all why I need that outside box at all. let me give you some more info on my little scene here: I have one addy in my external block dedicated to www. and I have had my isp enter www.mydomain.com in their DNS and map it to that addy. I NAT that addy to an internal address using my firewall. Why wont it work if I just create a new a record on the little pdc/dns machine for www.mydomain.com and give it the internal address..? This is what I am still struggling to understand..thanks for all your help!
0
 
LVL 2

Expert Comment

by:bsadlick
ID: 6432482
If your ISP DNS server is registered as the primary DNS for your domain, then you don't need an outside box. Your scenario will work for your internal clients as long as they point to that "little" DC/DNS server for name resolution.
0
 

Author Comment

by:FestusTheMule
ID: 6432500
bsdalick: things are getting clearer! given what you just said above, I am not sure at all why I need that outside box at all. let me give you some more info on my little scene here: I have one addy in my external block dedicated to www. and I have had my isp enter www.mydomain.com in their DNS and map it to that addy. I NAT that addy to an internal address using my firewall. Why wont it work if I just create a new a record on the little pdc/dns machine for www.mydomain.com and give it the internal address..? This is what I am still struggling to understand..thanks for all your help!
0
 

Author Comment

by:FestusTheMule
ID: 6432682
bsdalick: things are getting clearer! given what you just said above, I am not sure at all why I need that outside box at all. let me give you some more info on my little scene here: I have one addy in my external block dedicated to www. and I have had my isp enter www.mydomain.com in their DNS and map it to that addy. I NAT that addy to an internal address using my firewall. Why wont it work if I just create a new a record on the little pdc/dns machine for www.mydomain.com and give it the internal address..? This is what I am still struggling to understand..thanks for all your help!
0
 
LVL 2

Expert Comment

by:bsadlick
ID: 6436758
If your ISP DNS server is registered as the primary DNS for your domain, then you don't need an outside
box. Your scenario will work for your internal clients as long as they point to that "little" DC/DNS
server for name resolution.
0
 

Expert Comment

by:stretchfore
ID: 6497958
Another option you could try is putting the domain name in your hosts file on the local computers.
0
 

Expert Comment

by:CleanupPing
ID: 9156095
FestusTheMule:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 55

Expert Comment

by:andyalder
ID: 9522842
Split points?
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Hardening ScreenOS 8 66
Windows 7 Share with XP 22 67
Device same like our heart 12 47
Adding a secondary DC Server 2008R2 10 42
Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now