Re: dns for DMZ with many servers (views confusion)

In article <d84kq5$1rup$1@sf1.isc.org>,
Micha½ Kurowski <mkur@poczta.gazeta.pl> wrote:

> Hi,
>
> I think I'm confused a bit and I'd like to ask for some explanation.
>
> How actually views are supposed to work in DMZ-type network with
> multiple servers ?
>
> There are many different services in our DMZ running on many servers.
> Each one of them is supposed to be seen as the same (top-level)
> "address". External view (or external bind) has no problems and the
> traffic is nicely forwarded by the firewall (DNAT-ed).
>
> My problem is the internal server (view). SMTP, WWW, FTP servers
> should all be resolved to the same top-level name and I'm not really
> sure how to do this.

In the external view, all the names will resolve to the firewall's
public address (let's say it's 192.168.10.20):

www IN A 192.168.10.20
smtp IN A 192.168.10.20
ftp IN A 192.168.10.20

But in the internal view, the names will resolve to the specific
addresses (let's say they're in the 172.16.30.0/24 subnet):

www IN A 172.16.30.5
smtp IN A 172.16.30.6
ftp IN A 172.16.30.7

Are you trying to use a single name for all the services? That won't
work if they're on different servers and there's no port-forwarding
device in the path. So don't do that.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***