The Domain Name System wasn’t designed to work with Internet firewalls. It’s a testimony to the flexibility of DNS that you can configure DNS to work with, or even through, an Internet firewall.
That said, configuring the Microsoft DNS Server to work in a firewalled environment, although not difficult, takes a good, complete understanding of DNS. Describing it also requires a large portion of this chapter, so here’s a roadmap.
We start by describing the two major families of Internet firewall software: packet filters and application gateways. The capabilities of each family have a bearing on how you’ll need to configure your DNS servers to work through the firewall. The next section details the two most common DNS architectures used with firewalls, forwarders and internal roots, and describes the advantages and disadvantages of each. Finally, we discuss split namespaces and the configuration of the bastion host, the host at the core of your firewall system.
Before you start configuring your DNS servers to work with your firewall, it’s important that you understand what your firewall is capable of. Your firewall’s capabilities will influence your choice of DNS architecture and will determine how you implement it. If you don’t know the answers to the questions in this section, track down someone in your organization who does know and ask. Better yet, work with your firewall’s administrator when designing your DNS architecture ...