RE: DNS Request Redirection [7:35703]

From: Howard C. Berkowitz (hcb@xxxxxxxxxxxx)
Date: Mon Feb 18 2002 - 19:20:48 GMT-3

• Next message: Charles Manafa: "Re: Redistribute OSPF LSA"
• Previous message: Ahmed Mamoor Amimi: "Re: Topic List for CCIE LAB EXAM"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
I usually have two DNS servers, inside and outside.

Assume foo.test.com is an inside server and pub.test.com an outside server.

The outside DNS will resolve pub.test.com to its actual address, and
foo.test.com to the outside address of the firewall.

The inside DNS will resolve foo.test.com to its actual address, and
pub.test.com to the inside address of the firewall.

>Out of curiosity, what is the "best practice" for someone who has a
>DNS server on their private network with a private IP address? How would
>one go about doing this with a router? Is it impossible? Is the "best
>practice"/only possibly way to have the DNS server having a public IP
>address (in a DMZ)?
>
>Kind Regards,
>Tim Booth
>MCDBA, CCNP, CCDP, CCIE written

>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
>Sent: Monday, February 18, 2002 13:16
>To: cisco@groupstudy.com
>Subject: Re: DNS Request Redirection [7:35703]
>
>hhmmm.....
>
>as I understand the original question, each workstation in the network
>in
>question is hard coded for DNS.
>
>So, if for example, my machine is hard coded for DNS server
>207.126.96.162
>( my ISP DNS server ) and I change ISP's, and make no changes to my
>workstation, then any DNS request will have a destination address of
>207.126.96.162
>
>The question, as I understand, if how to change that destination address
>without making workstation visits.
>
>Policy routing can change next hop, but not destination address. NAT
>outbound changes source address, not destination address.
>
>Unless there is a packet interceptor that takes all DNS requests, and
>physically changes the destination address, the user has few options.
>
>Again, IF the former ISP does not restrict DNS requests to its own
>address
>space, i.e. accepts DNS requests from anywhere, then there is no
>problem,
>and no changes need be made.
>
>However IF ( and this would be good practice for a lot of reasons ) the
>former ISP does indeed restrict DNS requests to source addresses within
>its
>own space, then there will have to be additional changes on the user
>network.
>
>This whole discussion illustrates why people SHOULD follow best practice
>from the get go. If they want to hard code IP's, then I believe DHCP can
>be
>configured so that it provides only DNS info and default gateway info,
>for
>example. the people who have insisted that their network hard code
>everything are now learning the hard lesson.
>
>Chuck

--
"What Problem are you trying to solve?"
***send Cisco questions to the list, so all can benefit -- not
directly to me***
*******************************************************************************
*
Howard C. Berkowitz      hcb@gettcomm.com
Chief Technology Officer, GettLab/Gett Communications
Technical Director, CertificationZone.com
"retired" Certified Cisco Systems Instructor (CID) #93005

• Next message: Charles Manafa: "Re: Redistribute OSPF LSA"
• Previous message: Ahmed Mamoor Amimi: "Re: Topic List for CCIE LAB EXAM"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 13:46:26 GMT-3