SECTION E - NAME SERVICE

1. Hosts on our internal network use DHCP to obtain their IP addresses, but CEQURUX Firewall/VPN seems to want fixed host name to address bindings. What do we do?

   At present, DHCP is only useful for clients to request an address, so CEQURUX Firewall/VPN cannot determine the address of a host by querying the DHCP server. You could enter all the possible addresses in the Local Hosts Setup screen (using dummy names). Until such time as DHCP has been extended to support server-to-server queries (which should be in the works), there are several ways in which the problem can be addressed:

   • CEQURUX Firewall/VPN could act as the DHCP server. In principle this can be done, but in practice the problem normally arises in situations where it is necessary or desirable to have an NT server doing this, so we have not added such a capability yet.

   • CEQURUX Firewall/VPN can get Windows '95 or WfW login names from hosts that request service using NetBIOS.

   • The most practical approach at present is to try to set up most of the access rights on CEQURUX Firewall/VPN using network addresses rather than host addresses, and doing fine-grained control using trusted users and the cdsauth.exe utility. The main drawback here is that S/Key passwords need to be maintained for the trusted users. You can reduce the frequency of this by increasing the cache time used by the authentication daemon, or by using RSA public/private keys.
   This is usually not a big problem except in cases where quite a variety of different access rights for different internal users are to be set up.

    

2. Does CEQURUX Firewall/VPN's DNS server hide internal addresses from the outside world?

   Yes. In most configurations, CEQURUX Firewall/VPN uses separate DNS servers for the inside and the outside. DNS lookups that are received from internal hosts that are for hosts within your domain are relayed to the internal server, while other requests are relayed to the external server. Furthermore, either or both of the DNS servers can run on the firewall itself, simply by entering the address 127.0.0.1 as the server address in the config.

   
   

3. Does CEQURUX Firewall/VPN support secondary name servers?

   Yes, you can have secondary name servers that do zone transfers from the firewall. However, you cannot configure the firewall to be an external secondary, as this could be dangerous (actually, this can be done, but only through custom DNS extensions, and not using the normal admin programs).

    

4. I've heard that CEQURUX Firewall/VPN supports something called `distributed DNS'. What is this?

   CEQURUX Firewall/VPN supports DNS lookups across virtual private networks. You can have several CEQURUX Firewall/VPN, all in the same domain, making up a VPN, and maintain separate DNS databases for each one containing only the DNS records for the hosts that reside behind it. If a host name or address lookup fails, a CEQURUX Firewall/VPN can tunnel the request across the VPN to remote CEQURUX Firewall/VPN to see if they can satisfy the request. This can greatly simplify the DNS administration of domains that are geographically widely spread.

   Alternatively, you can have your internal name servers do zone transfers across the VPN, but this does require one primary server with all the domain information.

    
   

5. How do I configure secondary DNS servers for virtual domains?

   If you would like additional NS records in your primary domain, it is easy:
   Add them to the screen 'Secondary Servers' under 'Name Service' in fwadmin.
   If you would like additional NS records in your secondary domains (virtual domains), its a bit of work:
   For each secondary server in each virtual domain you have to do two things (assume that this virtual domain is called 'test.com' and the secondary server is 'ns5.com'):
       - Add the secondary server to the screen 'ZoneTrns Hosts' under 'Name Service' in fwadmin
       - Edit the file /usr/local/custom/db.test.com.outside (creating it if it doesn't exist), and add a line like this:

    

   test.com.    IN    NS    ns5.com.

    
   Remeber to substitute 'test.com' and 'ns5.com' with entries appropriate to your setup.