* dns doctoring
@ 2003-01-09 8:03 Micah Abrams
2003-01-09 8:25 ` Raymond Leach
0 siblings, 1 reply; 2+ messages in thread
From: Micah Abrams @ 2003-01-09 8:03 UTC (permalink / raw)
To: netfilter
List --
I'm building an iptables firewall to replace my pix 506. The firewall will
only have two interfaces for now. My dns server sits outside my firewall on
the internet and answers queries for both my internal network and the world.
Of course it only contains real world ips. The pix has an option (called
alias) that doctors dns request from my internal lan so that the reply
packet contains the internal ip address instead of the public address given
out by my dns server. This lets the internal machines access internal hosts
via dns without having to run two dns servers. For example with following
command:
alias (inside) 192.168.0.5 245.243.3.5 255.255.255.255
all dns queries passing through the pix containing the address 245.243.3.5
are re-written to contain 192.168.0.5. My question is, is there any way to
do this with iptables? How is everyone handling this? I would really like
to avoid having two dns servers. I am very new to iptables so any and all
help is much appreciated.
Thanks
~Micah
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: dns doctoring
2003-01-09 8:03 dns doctoring Micah Abrams
@ 2003-01-09 8:25 ` Raymond Leach
0 siblings, 0 replies; 2+ messages in thread
From: Raymond Leach @ 2003-01-09 8:25 UTC (permalink / raw)
To: Netfilter Mailing List
[-- Attachment #1: Type: text/plain, Size: 2030 bytes --]
Hi
There is a feature of most named's these days often called split horizon
DNS. That is what you're looking for.
Ray
On Thu, 2003-01-09 at 10:03, Micah Abrams wrote:
> List --
>
> I'm building an iptables firewall to replace my pix 506. The firewall will
> only have two interfaces for now. My dns server sits outside my firewall on
> the internet and answers queries for both my internal network and the world.
> Of course it only contains real world ips. The pix has an option (called
> alias) that doctors dns request from my internal lan so that the reply
> packet contains the internal ip address instead of the public address given
> out by my dns server. This lets the internal machines access internal hosts
> via dns without having to run two dns servers. For example with following
> command:
>
> alias (inside) 192.168.0.5 245.243.3.5 255.255.255.255
>
> all dns queries passing through the pix containing the address 245.243.3.5
> are re-written to contain 192.168.0.5. My question is, is there any way to
> do this with iptables? How is everyone handling this? I would really like
> to avoid having two dns servers. I am very new to iptables so any and all
> help is much appreciated.
>
> Thanks
>
> ~Micah
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
( Raymond Leach )
) Knowledge Factory (
( )
) Tel: +27 11 445 8100 (
( Fax: +27 11 445 8101 )
) (
( http://www.knowledgefactory.co.za/ )
) http://www.saptg.co.za/ (
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o o
o o
.--. .--.
| o_o| |o_o |
| \_:| |:_/ |
/ / \\ // \ \
( | |) (| | )
/`\_ _/'\ /'\_ _/`\
\___)=(___/ \___)=(___/
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2003-01-09 8:25 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-01-09 8:03 dns doctoring Micah Abrams
2003-01-09 8:25 ` Raymond Leach
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.