Basic DNS Question: Internal IP visibility from Internet

Hi,
A very simple query about institute DNS configuration.
We have three DNS servers: 1. at the Linux firewall gateway cum DNS
doing NAT. 2. Another within our DMZ on external IP and 3. In the
Internal IP network isolated from the external world through Firewall
having internal IP 172.16.x.y.

At the Bastion host (firewall) only single IP (domain.ac.in) is visible
to the outside world. We have created multiple zones for different
departments (who are/will host their own servers). This arrangement
work well within the campus, but queries meant for any server having
internal IP (intranet) are not resolved from outside. Do we have to
open those servers through our firewall for those servers as well? or
some other mechanism is possible by which the DNS queries which cannot
be resolved by our main DNS visible from outside can be forwarded to
our internal DNS servers?

External|-----|Switch|------| Firewall|-----|Internal and Internal
LAN
world and DNS1 DNS3(internal IP)
|
|
DNS2 having External IP

Much obliged for any help.
Karmath

On Wed, 21 Sep 2005, (E-Mail Removed) wrote:
> This arrangement work well within the campus, but queries
> meant for any server having internal IP (intranet) are not
> resolved from outside.

Why you want it to be resolved? Those servers' internal IPs are
not reachable from outside, right?

> Do we have to open those servers through our firewall for
> those servers as well?

You can create those zones in the external name servers, and set
those zones as slaves of the internal name servers.

--
Stephan Paul Arif Sahari Wibowo
_____ _____ _____ _____
/____ /____/ /____/ /____
_____/ / / / _____/ http://www.arifsaha.com/

On 09/21/05 16:23, (E-Mail Removed) wrote:
> Hi,
> A very simple query about institute DNS configuration.
> We have three DNS servers: 1. at the Linux firewall gateway cum DNS
> doing NAT. 2. Another within our DMZ on external IP and 3. In the
> Internal IP network isolated from the external world through Firewall
> having internal IP 172.16.x.y.
>
> At the Bastion host (firewall) only single IP (domain.ac.in) is visible
> to the outside world. We have created multiple zones for different
> departments (who are/will host their own servers). This arrangement
> work well within the campus, but queries meant for any server having
> internal IP (intranet) are not resolved from outside. Do we have to
> open those servers through our firewall for those servers as well? or
> some other mechanism is possible by which the DNS queries which cannot
> be resolved by our main DNS visible from outside can be forwarded to
> our internal DNS servers?
>
> External|-----|Switch|------| Firewall|-----|Internal and Internal
> LAN
> world and DNS1 DNS3(internal IP)
> |
> |
> DNS2 having External IP
>
> Much obliged for any help.
> Karmath
>

It is not clear to me why you need so many DNS servers. Making DNS1
authoritative for the internal network and external IP and maybe a
caching server for the remaining world is IMO what you need.

Ciao
Giovanni
--
A computer is like an air conditioner,
it stops working when you open Windows.
Registered Linux user #337974 <http://counter.li.org/>

1. We need to resolve the names as we would like to have the
departmental URL visible from the institute home page through
resolvable link (having a different internal IP).
2. More than one DNS has been kept for redundancy as the network is
quite widespread having copper and fiber mix.
karmath

Present configuration of the firewall opens only one internal IP at
port 80 for browser access. Do I need to open all the Internal IPs at
port 80 where I want to provide external browsing?
-Karmath

On 22 Sep 2005 10:14:26 -0700, (E-Mail Removed)
<(E-Mail Removed)> wrote:
> Present configuration of the firewall opens only one internal IP at
> port 80 for browser access. Do I need to open all the Internal IPs at
> port 80 where I want to provide external browsing?
> -Karmath
>
You can use port forwarding, where external_ip:any_port is forwarded to
internal_ip:80.


--
Children are like cats, they can tell when you don't like them. That's
when they come over and violate your body space.

If add to the above configuration. suppose I have a registered domain
as x.y.z and www.x.y.z now this is a server which is running behind a
firewall (iptables) so all the http requests are forwarded to internal
web server. Now I want to add another internal webserver A.x.y.z. I
wish to make it visible through the single external IP as for
www.x.y.z, so any browsing request from external world when request to
A.x.y.z it should get the response from the different internal server.
At present when we click to A.x.y.z it goes vack to www.x.y.z! Any
pointers to what might be wrong with our DNS or Firewall?
TIA
Karmath