IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
All DNS clients, including those on the application gateway, must be
configured in such a way that they always use the internal DNS server (e.g.
using entries in the file /etc/resolv.conf).
If an internal client asks for an internal computer, the internal DNS server is
used. If an internal client or a client on the application gateway asks for an
external computer, the internal DNS server is consulted, which in turn
consults the external DNS server, which in turn consults the Internet, which
then responds.
An external client which asks for an internal host receives the restricted list
from the external DNS server.
The packet filter used must be configured in such a way that only the DNS
service is permitted between the servers, i.e. DNS port 53 as the source and
destination port. The approval of other ports (> 1023) is thus not necessary.
net to be
protected
packet filter packet filter
internal
DNS enquiry
private
DNS server
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000
Dual-homed
Application
Gateway
DNS-Abfrage
des Gateway
Figure 4: Configuration of the DNS servers
Public
DNS server
exteral
DNS enquiry
insecure
network
The private DNS server is the primary DNS server for the protected
network and passes enquiries about external computers to the public DNS
server. The client on the gateway is configured in such a way that the
private DNS server is first asked, which then may pass the enquiry on to
the public DNS server. For external computers, the public DNS server is
the primary DNS server for the protected network. However, it only
contains the entries of the computers which are to be made known to the
outside world.