[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference noted::seal

Title:	SEAL

Moderator:	GALVIA::SMITH

Created:	Mon Mar 21 1994
Last Modified:	Fri Jun 06 1997
Last Successful Update:	Fri Jun 06 1997
Number of topics:	1989
Total number of notes:	8209

1859.0. "dns and nt firewall routing problem" by SNOFS1::snod14dgp1.gen.sno.dec.com::snov14.sno.dec.com::stylianoua () Wed Mar 12 1997 05:40

Hi

I have just installed the AFW NT 1.1 at a customer site.
They hve 2 internal networks. They have a 10.* and 
203.1.*
nets. The routers and routeabouts are setup correctly to 
route between the 2 networks.

The firewall is configured with address 10.16.0.1.
Originally the dns had an address of 203.1.33.211. In 
this
case the dns resolution would not work through the 
firewall. 
Forwards and slaves lines have been entered. We are using
Microsoft's dns on nt4.0.

When we changed the dns to an address of 10.16.0.8 we
are suddenly able to do nslookups and surf the web, etc.

Question: Does the DNS and firewall have to be on the 
same
net as described above?

T.R	Title	User	Personal Name	Date	Lines
1859.1	more info	SNOFS1::snod14dgp12.gen.sno.dec.com::snov14.sno.dec.com::stylianoua		`Wed Mar 12 1997 17:55`	26
	More info: We are using hidden dns. I'll explain further. 1. 203.1.32.10 is on the external card of the firewall and 203.1.32.250 is our external router. 2. 203.1.33., 203.1.34. is internal net. We also have 10.16.* on our internal net. 3. Internal card on the firewall is 10.16.0.1 4. We have full routing capabilties between the internal 10 net and the internal 203.1.33.* and 203.1.34.* nets. 5. Originally we had the dns with 203.1.33.211. This machine could not talk to the firewall using dns only. We could do other things like ping to the firewall. DNS seems to be the only thing NOT getting to the firewall. 6. When we changed the dns to 10.16.0.8 the dns and the firewall could talk and names could be resolved. It seems dns only works when the firewall and the dns server are on the same nets. Is this right??? Thanks Andrew Stylianou
1859.2		BIGUN::nessus.cao.dec.com::Mayne	Churchill's black dog	`Wed Mar 12 1997 18:08`	7
	DNS can obviously work between subnets. Being able to ping and other things (whatever the other things are) means that routing seems to be working properly. It sounds like there's a router blocking DNS access. (Sound familiar?) Can any of the other systems do DNS to the firewall? PJDM
1859.3	implemented 2 dns'	SNOFS1::stylia.sno.dec.com::snov14::stylianoua		`Thu Mar 13 1997 01:48`	14
	No other systems can do dns to the firewall unless the server is set to the firewall. What I have had to do is 1. Set up a main dns as with an ip address of 10.16.0.8 to serve any internal machine no matter what network they are on. This way these machines can get out to the external net. 2. Kept the current dns going as 203.1.33.211 to serve internal nets only. This seemed simpler then re-configuring 200 or so clients. Any one who wants to surf or telnet externally will now need the new dns server address. I will find out if the router is blocking the any of the addresses. Andrew Stylianou