Re: [FW-1] AW: [FW-1] Name resolution

To: [email protected]

Subject: Re: [FW-1] AW: [FW-1] Name resolution

From: Hal Dorsman <[email protected]>

Date: Fri, 21 Jun 2002 14:14:12 -0600

Reply-To: Mailing list for discussion of Firewall-1 <[email protected]>

Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Thread-Index: AcIY6BGSFeJs5WPmS2qhI8btK3AMBwAXUUuQAAI4ZsAAATp+AAACoRzQ

Thread-Topic: Re: [FW-1] AW: [FW-1] Name resolution

Title: AW: [FW-1] Name resolution

"DNS proxy" is not a DNS server. Proxy means to act on anothers

behalf. A proxy will go out and perform a lookup for a client for any

configured service, including DNS. So to say Raptor is a DNS proxy

means that it will do DNS lookups for a client. I admit complete ignorance

of Raptor, but it would seem very odd to me to have a DNS server imbedded

in it. That would be a very nonstandard design AFAIK. I cannot imagine

a customer that would not already have access to a DNS server. DNS

services are universally provided by the Internet Service Provider. The

Raptor DNS proxy, therefore, would logically provide client resolver lookups

for them, rather than let them do it themselves. I can't imagine an environment

in which a client other than an ISP would need to set up their own DNS

servers (except for internal DNS, of course, but that is not what we are talking

about here) and and ISP is already going to have two.

So, am I confused, or are you?

regards,

Hal

-----Original Message-----
From: Steve McNutt [mailto:[email protected]]
Sent: Friday, June 21, 2002 12:46 PM
To: [email protected]
Subject: Re: [FW-1] AW: [FW-1] Name resolution

Sigh.

DNS proxy is part of raptor. Raptor is a proxy type of firewall, not a stateful inspection firewall like a PIX or a Firewall-1. A standard setup with a raptor firewall is to use the proxy to implement split DNS.

This is a major headache when the customer tries to migrate to a stateful inspection firewall because I have tell them the bad news, that they are going to have to set up a DNS server or two and change their client configs before I do the cut. Been there, done that, have the T-shirt.

-----Original Message-----
From: Hal Dorsman [mailto:[email protected]]
Sent: Friday, June 21, 2002 2:07 PM
To: [email protected]
Subject: Re: [FW-1] AW: [FW-1] Name resolution

Well, maybe people running Raptor FW's don't know any better.

Checkpoint admins seem to understand that you shouldn't run

ANYTHING on a firewall.

Sorry, I just had to bust YOUR hump a little.

:)

Hal

-----Original Message-----
From: Steve McNutt [mailto:[email protected]]
Sent: Friday, June 21, 2002 11:03 AM
To: [email protected]
Subject: Re: [FW-1] AW: [FW-1] Name resolution

I hate to be a contrarian, but people run DNS on raptor firewalls all of the time. I know you probably meant checkpoint firewalls, but I just had to bust your hump a little ;-)

-s

-----Original Message-----
From: Andrew Jones [mailto:[email protected]]
Sent: Friday, June 21, 2002 1:07 AM
To: [email protected]
Subject: [FW-1] AW: [FW-1] Name resolution

Dude, this is so not a firewall issue. You can't do this with a firewall, and this functionality doesn't make sense with a firewall anyway. The DNS suffix lists ARE the way to do this.

-&