Pix Firewall Internal DNS

We have a PIX firewall and we want to use 1 DNS server.  The DNS server is behind the firewall. When we do a DNS command, it returns the external IP address. We need it to give us the internal IP address so that we can access the server. If we try to access with the external IP address, it doesn't work. We have added the alias commands to the firewall but that doesnt' fix the problem because the request doesn't run through the firewall.
LVL 1
donald9Asked:
Who is Participating?
 
td_milesConnect With a Mentor Commented:
You have a few options:

1. If you are using BIND v9, it supports a feature called "views". You can use this to provide alternate database for the same zone.

2. Implement split dns using two different servers (one for internal, another for external).

3. Create a special A record for internal use. Eg. you could create a host "www1" that is for internal use only and resolves to the internal address of the web server.

(I have assumed a web server, but it can be any type of server).

http://homepages.tesco.net/~J.deBoynePollard/FGA/dns-split-horizon.html
0
 
donald9Author Commented:
Any ideas we can do that involve the DNS server built into windows 2000 (other than #3)?
0
 
Tim HolmanCommented:
I'm a bit lost.  Could you explain this in more detail ?  Also, a diagram and PIX config may help.
You don't need the alias command to get DNS to work ?  
Usually, you would configure the W2K DNS server as your primary DNS, and then set this up to look up DNS records on other servers in the world as and when necessary.
0
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

 
td_milesCommented:
Tim, the way I understand it, its your normal setup, LAN-PIX-Internet. They then have NAT's on the PIX to the DNS & WWW servers that are on the LAN. As the DNS is serving the Internet, then a lookup for www.xyz.com will produce the REAL IP address of the server.

For ppl outside, this is fine and everything works as expected, they lookup www.xyz.com, gets its public IP address, then connect to that IP address. The traffic hits the PIX, get's NAT'ed, goes to the webserver on the LAN. All is well.

For ppl inside, they connect to the DNS server using it's private IP address, look www.xyz.com and still get it's PUBLIC IP address (it is the same DNS server, giving the same results). They then try to connect to the public IP address of www.xyz.com. Their PC correctly determines that it is a non-local IP address and sends the traffic to the default gateway (the PIX). The traffic gets to the PIX, where it stops, as the the traffic needs to be NAT'ed outbound, then NAT'ed back inbound (to get to the webserver) on the same outside interface of the PIX (which we all know DOESN'T work).

--------

Donald, obviously correct me if I'm wrong with my explanation of what I see the problem as being. No, there is no way that I know of to do this in win2k (there could be, just none that I know of).
0
 
Tim HolmanConnect With a Mentor Commented:
Thanks..  !

So.. to use the DNS server inside, the DHCP scope should point to the internal DNS server IP address, and a reverse lookup record should exist to resolve both external and internal DNS server addresses to the actual DNS server name.

Are we on the right track ?



0
 
lrmooreCommented:
Are you still working on this? Do you need more information?
Can you close out this question?
0
 
lrmooreCommented:
How's it going? Have you found a solution? Do you need more information?
Can you close this question?

http://www.experts-exchange.com/help.jsp#hs5

Thanks for attending to this long-forgotten question.

<-8}
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.