Nameserver in DMZ

[DB]

Hello,

Just had a quick question on whether or not anyone knows if you can run a MS
DNS server as an authoritative nameserver for a website domain in a
firewalled DMZ configuration. Similar to this:

Internet > OutsideFW ---------- InsideFW (10.X.X.X)
|
|
DMZ (172.16.16.x)

widgets.com Nameserver (172.16.16.100)

I see potential problems trying to resolve the outside IP address to
internet hosts from the privately addressed nameserver in the DMZ.

Any thoughts??

Thanks.

 

[Steve Duff [MVP]]

You have a couple of issues to separate here:

First, you are showing IANA-private addressing on your
DMZ, which implies some sort of address translation
on your firewall.

By itself this isn't a problem, but you of course will need to
allow port 53 DNS requests to come through that if
you are using a port-mapped (dynamic) NAT.

And, you can not of course hand out 172.16 addresses
as this traffic can not route on the public side. So you are
going to have to list the corresponding public IPs
in the host records. Again, should not be a problem.

The next question is whether your firewalls
can self-route their own WAN-side IPs, especially those
that are NAT-enabled. In other words, if your
inside network is handed an IP address which is one
of the public IPs on the outside of the (public) firewall, will that
traffic route correctly to the DMZ?

This is not an idle question. A number of otherwise
high-strength router/firewalls can not. Any Cisco
box can (of course). But -- for example -- a SonicWall
in NAT mode can not. Nor can a number of SOHO
routers

And if it can not you have a problem since your DNS
will hand out public IPs that may work fine from the public
side, but won't work at all on the inside. This is something
I urge you to hard-test before committing to a design as
documentation has been known to be misleading on this
subject.

You could shadow the DNS host records with copies that
list the inside IPs, and then use subnet ordering to try
and get the right addresses returned in both cases, but
this can be tricky to say the least, and it is not a road
I would want to walk.

Steve Duff, MCSE
Ergodic Systems, Inc.

 

[wailakig]

Hi Steve

SonicWALL firmware 6.5.x.x can handle loopback, which is what I think
you said SNWL couldn't do in NAT mode.

Also, SNWL can do NAT on the DMZ (for over a year), and forwarding
incoming traffic from its own WAN IP to that host works for DNS and
other unicast traffic, as long as a rule is created in the proper
syntax:

allow DNS
Source: * *
Dest'n: DMZ 172.16.16.x

 

[Steve Duff [MVP]]

I was only using Sonicwall as an example of this
problem. There are lots and lots of offenders
in the router market as regards this particular "issue".
(They call it a limitation, I call it a bug.) So if they have
fixed this in 6.5 I count that as a Good Thing.

Though this isn't in any way a SW forum, it is a
public record of sorts, so it should be noted that
users of older SW boxes may not be able to
upgrade to the new f/w without redoing some licenses
(especially VPN). I advise checking first and make sure
you have 6.4 f/w handy in case you do need to backrev.

Steve Duff, MCSE
Ergodic Systems, Inc.