Symantec™ Security Gateways Reference Guide - Sawmill

52 Understanding accessProxiesThe DNS proxyBy default, the security gateway responds to DNS queries received on the loopback adapter (127.0.0.1) andany internal interfaces defined during setup. This means that clients on the protected network shouldnever point directly to a public DNS server. If an internal DNS configuration is already present, clients onthe protected network should point to the internal DNS server for all DNS requests. Similarly, internal DNSservers should not point directly to a public system for resolution. Instead, they should configureforwarders that point to the security gateway. If there is no internal DNS system, clients on the protectednetwork should point directly at the inside interface of the security gateway.Note: A check of the DNS settings should show that 127.0.0.1 is listed as the first name server. It isrecommended that you have 127.0.0.1 as the only entry in the list so failed DNS lookups immediately signala problem with the DNS proxy.Private and public zone filesPublic hosts are defined as any host that connects to the security gateway through a public interface (anyinterface not marked as private). For example, hosts on the Internet or on a service network are consideredpublic hosts. Private hosts are defined as any host that connects to the security gateway through a privateinterface. A common example of a private host is an employee’s workstation.The DNS proxy can host both public and private DNS records. Private host records are intended for internaluse, and are never broadcast to public hosts. Public records are seen by both public hosts and private hosts.Therefore, access to these records depends on whether the requesting host is public or private.Public and private DNS requests arriving at an interface marked as private are honored. Public DNSrequests arriving at a public interface are answered only if the security gateway has a matching public hostrecord. By default, any requesting host not connected to a private interface can only issue public DNSrequests; they cannot have access to private DNS information. A public interface can be configured toexpose private DNS information, but this is not commonly done.Note: Inside and private do not mean the same thing. You can define an inside interface as public. Forexample, you may wish to define the inside interface facing a service network as public. However, beforechanging an inside interface, consider your licensing level. Each new connection from the security gatewayto the network connected to that inside interface counts against your available licenses.Using internal name serversIf you configured internal name servers to act as backups for the DNS proxy, do not point the securitygateway’s resolver to the internal name servers. Instead, the resolver should always point to 127.0.0.1(localhost) either solely or as the first entry. The DNS proxy should always try to look at the securitygateway first when performing a DNS lookup. The only time that the internal name servers are used iswhen the DNS proxy is unable to handle the request.Note: The DNS proxy cannot serve as a secondary name server. The DNS proxy can only serve as a primaryname server.