Hal,
I didn’t mean to come
off sounding rude. It’s just that
to go through and explain everything in enough detail to satisfy you would
probably take quite awhile. Sorry
if my reply sounded harsh or haughty.
-----Original
Message-----
From: Steve
McNutt
Sent: Friday, June 21,
2002 5:11
PM
To: 'Mailing list for discussion of
Firewall-1'
Subject: RE: Re:
[FW-1] AW: [FW-1] Name resolution
Proxy
type firewalls are very different animals than stateful firewalls. If you are interested in how products
like raptor and sidewinder work, and how people tend to set them up and why, I
am not the best resource for that, as I don’t have the time or inclination to
go through it with you. However
if you check out the raptor product documentation, it should answer many of
your questions.
Regards,
-s
-----Original
Message-----
From: Hal
Dorsman [mailto:[email protected]]
Sent: Friday, June 21,
2002 4:14
PM
To:
[email protected]
Subject: Re: [FW-1] AW: [FW-1] Name
resolution
"DNS
proxy" is not a DNS server. Proxy means to act on
anothers
behalf. A proxy
will go out and perform a lookup for a client for
any
configured service,
including DNS. So to say Raptor is a DNS
proxy
means
that it will do DNS lookups for a client. I admit complete
ignorance
of
Raptor, but it would seem very odd to me to have a DNS server
imbedded
in
it. That would be a very nonstandard design AFAIK. I cannot
imagine
a
customer that would not already have access to a DNS server.
DNS
services
are universally provided by the Internet Service Provider.
The
Raptor
DNS proxy, therefore, would logically provide client resolver
lookups
for
them, rather than let them do it themselves. I can't imagine an
environment
in which
a client other than an ISP would need to set up their own
DNS
servers
(except for internal DNS, of course, but that is not what we are
talking
about
here) and and ISP is already going to have
two.
So, am I
confused, or are you?
-----Original
Message-----
From: Steve
McNutt [mailto:[email protected]]
Sent: Friday, June 21,
2002 12:46
PM
To:
[email protected]
Subject: Re: [FW-1] AW: [FW-1] Name
resolution
Sigh.
DNS
proxy is part of raptor. Raptor
is a proxy type of firewall, not a stateful inspection firewall like a PIX
or a Firewall-1. A standard
setup with a raptor firewall is to use the proxy to implement split DNS.
This
is a major headache when the customer tries to migrate to a stateful
inspection firewall because I have tell them the bad news, that they are
going to have to set up a DNS server or two and change their client configs
before I do the cut. Been
there, done that, have the T-shirt.
-----Original
Message-----
From: Hal
Dorsman [mailto:[email protected]]
Sent: Friday, June 21,
2002 2:07
PM
To:
[email protected]
Subject: Re: [FW-1] AW: [FW-1] Name
resolution
Well,
maybe people running Raptor FW's don't know any
better.
Checkpoint admins
seem to understand that you shouldn't run
Sorry,
I just had to bust YOUR hump a little.
-----Original
Message-----
From: Steve
McNutt [mailto:[email protected]]
Sent: Friday, June 21,
2002 11:03
AM
To:
[email protected]
Subject: Re: [FW-1] AW: [FW-1] Name
resolution
I
hate to be a contrarian, but people run DNS on raptor firewalls all of the
time. I know you probably
meant checkpoint firewalls, but I just had to bust your hump a little
;-)
-s
-----Original
Message-----
From: Andrew
Jones [mailto:[email protected]]
Sent: Friday, June 21,
2002 1:07
AM
To:
[email protected]
Subject: [FW-1] AW: [FW-1] Name
resolution
Dude, this is so not a firewall issue. You can't
do this with a firewall, and this functionality doesn't make sense with a
firewall anyway. The DNS suffix lists ARE the way to do
this.
-&