ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzakk_5.4.0.1/rzakkscenario5.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="reference" />
<meta name="DC.Title" content="Example: Split Domain Name System over firewall" />
<meta name="abstract" content="This example depicts Domain Name System (DNS) operating over a firewall to protect internal data from the Internet, while allowing internal users to access data on the Internet." />
<meta name="description" content="This example depicts Domain Name System (DNS) operating over a firewall to protect internal data from the Internet, while allowing internal users to access data on the Internet." />
<meta name="DC.Relation" scheme="URI" content="rzakkexampleparent.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakkconceptbind.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2004, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2004, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzakkscenario5" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Example: Split Domain Name System over firewall</title>
</head>
<body id="rzakkscenario5"><a name="rzakkscenario5"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Example: Split Domain Name System over firewall</h1>
<div><p>This example depicts Domain Name System (DNS) operating over a
firewall to protect internal data from the Internet, while allowing internal
users to access data on the Internet.</p>
<div class="section"><p>The following illustration depicts a simple subnet network that
uses a firewall for security. OS/400<sup>®</sup> V5R1 DNS based on BIND 8 allows
you to set up multiple DNS servers on a single iSeries™. Suppose that the company has
an internal network with reserved IP space, and an external section of a network
that is available to the public.</p>
<p>The company wants its internal clients
to be able to resolve external host names and to exchange mail with people
on the outside. The company also wants its internal resolvers to have access
to certain internal-only zones that are not available at all outside of the
internal network. However, they do not want any outside resolvers to be able
to access the internal network.</p>
<p>To accomplish this, the company sets
up two DNS server instances on the same iSeries server, one for the intranet
and one for everything in its public domain. This is called<em> split DNS</em>.</p>
<div class="fignone"><span class="figcap">Figure 1.  Split DNS over firewall</span><br /><img src="rzakk504.gif" alt="Split DNS over firewall." /><br /></div>
<p>The external server, DNSB, is configured with a primary zone mycompany.com.
This zone data includes only the resource records that are intended to be
part of the public domain. The internal server, DNSA, is configured with a
primary zone mycompany.com, but the zone data defined on DNSA contains intranet
resource records. The forwarders option is defined as 10.1.2.5. This forces
DNSA to forward queries it cannot resolve to the DNSB server.</p>
<p>If you
are concerned about the integrity of your firewall or other security threats,
you have the option of using the listen-on option to help protect internal
data. To do this, you can configure the internal server to only allow queries
to the internal mycompany.com zone from internal hosts. In order for all this
to work properly, internal clients need to be configured to query only the
DNSA server. You need to consider the following configuration settings to
set up split DNS:</p>
<ul><li>Listen-on<p>In previous examples, there has been only one DNS server on
an iSeries.
It is set to listen on all interface IP addresses. Whenever you have multiple
DNS servers on an iSeries, you have to define the interface IP addresses
that each one listens on. Two DNS servers cannot listen on the same address.
In this case, assume that all queries coming in from the firewall are sent
in on 10.1.2.5. These queries should be sent to the external server. Therefore,
DNSB is configured to listen on 10.1.2.5. The internal server, DNSA, is configured
to accept queries from anything on the 10.1.x.x interface IP addresses <em>except</em> 10.1.2.5.
To effectively exclude this address, the Address Match List (AML) must have
the excluded address listed before the included address prefix.</p>
</li>
<li>Address Match List (AML) order<p>The first element in the AML that a given
address matches is used. For example, to allow all addresses on the 10.1.x.x
network except 10.1.2.5, the ACL elements must be in the order (!10.1.2.5;
10.1/16). In this case, the address 10.1.2.5 is compared to the first element
and will immediately be denied.</p>
<p>If the elements are reversed (10.1/16;
!10.1.2.5), the IP address 10.1.2.5 will be allowed access because the server
will compare it to the first element, which matches, and allow it without
checking the rest of the rules.</p>
</li>
</ul>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzakkexampleparent.htm" title="You can use these examples to understand how to use Domain Name System (DNS) in your network.">Domain Name System examples</a></div>
</div>
<div class="relref"><strong>Related reference</strong><br />
<div><a href="rzakkconceptbind.htm" title="Besides dynamic updates, BIND 8 offers several features to enhance performance of your Domain Name System (DNS) server.">BIND 8 features</a></div>
</div>
</div>
</body>
</html>
Add readme and dist folders 2024-04-02 14:02:31 +00:00			`<?xml version="1.0" encoding="UTF-8"?>`
			`<!DOCTYPE html`
			`PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">`
			`<html lang="en-us" xml:lang="en-us">`
			`<head>`
			`<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />`
			`<meta name="security" content="public" />`
			`<meta name="Robots" content="index,follow" />`
			`<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />`
			`<meta name="DC.Type" content="reference" />`
			`<meta name="DC.Title" content="Example: Split Domain Name System over firewall" />`
			`<meta name="abstract" content="This example depicts Domain Name System (DNS) operating over a firewall to protect internal data from the Internet, while allowing internal users to access data on the Internet." />`
			`<meta name="description" content="This example depicts Domain Name System (DNS) operating over a firewall to protect internal data from the Internet, while allowing internal users to access data on the Internet." />`
			`<meta name="DC.Relation" scheme="URI" content="rzakkexampleparent.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="rzakkconceptbind.htm" />`
			`<meta name="copyright" content="(C) Copyright IBM Corporation 2004, 2006" />`
			`<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2004, 2006" />`
			`<meta name="DC.Format" content="XHTML" />`
			`<meta name="DC.Identifier" content="rzakkscenario5" />`
			`<meta name="DC.Language" content="en-us" />`
			`<!-- All rights reserved. Licensed Materials Property of IBM -->`
			`<!-- US Government Users Restricted Rights -->`
			`<!-- Use, duplication or disclosure restricted by -->`
			`<!-- GSA ADP Schedule Contract with IBM Corp. -->`
			`<link rel="stylesheet" type="text/css" href="./ibmdita.css" />`
			`<link rel="stylesheet" type="text/css" href="./ic.css" />`
			`<title>Example: Split Domain Name System over firewall</title>`
			`</head>`
			`<body id="rzakkscenario5"><a name="rzakkscenario5"><!-- --></a>`
			`<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>`
			`<h1 class="topictitle1">Example: Split Domain Name System over firewall</h1>`
			`<div><p>This example depicts Domain Name System (DNS) operating over a`
			`firewall to protect internal data from the Internet, while allowing internal`
			`users to access data on the Internet.</p>`
			`<div class="section"><p>The following illustration depicts a simple subnet network that`
			`uses a firewall for security. OS/400<sup>®</sup> V5R1 DNS based on BIND 8 allows`
			`you to set up multiple DNS servers on a single iSeries™. Suppose that the company has`
			`an internal network with reserved IP space, and an external section of a network`
			`that is available to the public.</p>`
			`<p>The company wants its internal clients`
			`to be able to resolve external host names and to exchange mail with people`
			`on the outside. The company also wants its internal resolvers to have access`
			`to certain internal-only zones that are not available at all outside of the`
			`internal network. However, they do not want any outside resolvers to be able`
			`to access the internal network.</p>`
			`<p>To accomplish this, the company sets`
			`up two DNS server instances on the same iSeries server, one for the intranet`
			`and one for everything in its public domain. This is called<em> split DNS</em>.</p>`
			`<div class="fignone"><span class="figcap">Figure 1. Split DNS over firewall</span><br /><img src="rzakk504.gif" alt="Split DNS over firewall." /><br /></div>`
			`<p>The external server, DNSB, is configured with a primary zone mycompany.com.`
			`This zone data includes only the resource records that are intended to be`
			`part of the public domain. The internal server, DNSA, is configured with a`
			`primary zone mycompany.com, but the zone data defined on DNSA contains intranet`
			`resource records. The forwarders option is defined as 10.1.2.5. This forces`
			`DNSA to forward queries it cannot resolve to the DNSB server.</p>`
			`<p>If you`
			`are concerned about the integrity of your firewall or other security threats,`
			`you have the option of using the listen-on option to help protect internal`
			`data. To do this, you can configure the internal server to only allow queries`
			`to the internal mycompany.com zone from internal hosts. In order for all this`
			`to work properly, internal clients need to be configured to query only the`
			`DNSA server. You need to consider the following configuration settings to`
			`set up split DNS:</p>`
			`<ul><li>Listen-on<p>In previous examples, there has been only one DNS server on`
			`an iSeries.`
			`It is set to listen on all interface IP addresses. Whenever you have multiple`
			`DNS servers on an iSeries, you have to define the interface IP addresses`
			`that each one listens on. Two DNS servers cannot listen on the same address.`
			`In this case, assume that all queries coming in from the firewall are sent`
			`in on 10.1.2.5. These queries should be sent to the external server. Therefore,`
			`DNSB is configured to listen on 10.1.2.5. The internal server, DNSA, is configured`
			`to accept queries from anything on the 10.1.x.x interface IP addresses <em>except</em> 10.1.2.5.`
			`To effectively exclude this address, the Address Match List (AML) must have`
			`the excluded address listed before the included address prefix.</p>`
			`</li>`
			`<li>Address Match List (AML) order<p>The first element in the AML that a given`
			`address matches is used. For example, to allow all addresses on the 10.1.x.x`
			`network except 10.1.2.5, the ACL elements must be in the order (!10.1.2.5;`
			`10.1/16). In this case, the address 10.1.2.5 is compared to the first element`
			`and will immediately be denied.</p>`
			`<p>If the elements are reversed (10.1/16;`
			`!10.1.2.5), the IP address 10.1.2.5 will be allowed access because the server`
			`will compare it to the first element, which matches, and allow it without`
			`checking the rest of the rules.</p>`
			`</li>`
			`</ul>`
			`</div>`
			`</div>`
			`<div>`
			`<div class="familylinks">`
			`<div class="parentlink"><strong>Parent topic:</strong> <a href="rzakkexampleparent.htm" title="You can use these examples to understand how to use Domain Name System (DNS) in your network.">Domain Name System examples</a></div>`
			`</div>`
			`<div class="relref"><strong>Related reference</strong><br />`
			`<div><a href="rzakkconceptbind.htm" title="Besides dynamic updates, BIND 8 offers several features to enhance performance of your Domain Name System (DNS) server.">BIND 8 features</a></div>`
			`</div>`
			`</div>`
			`</body>`
			`</html>`