pf/nat/dns setup question

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

pf/nat/dns setup question

ramrunner
Hey list! if you can spare some time read the following :)
i have a domain living inside a very very unsecure university network that is
administered by some morons. it is highly compromised in many layers
but i can't touch it.
so i have a NATing firewall and i am running my services behind that.
notice here that my domain resolves to some .org having nothing to do
with the network i live in.
It seems logical to try to depend as little as possible on their
servers with the exception of their
gateway (i have to pass through :( ).
To access my internal boxen i am using rdr on different gw ports to
internal sshds.
all my machines on their resolv.conf have my internal NS and some
top-level ones.
( i thought that this would protect me from quering the unsecure parent NS ).
But when i tried to connect at first i noticed that my sshd was too
slow on responding for auth.
This of course related to domain services not passing correctly through the fw.
but i explicitly permitted outgoing domain packets for the top-level NSs.
wathing the logs i noticed that sshd tried to contact the unsecure
parent NS although there was no mention
for it on any resolv.conf. (it has to resolve the route? didn't know that...)
so the question is...
If i instruct my internal NS to resolve a part of the network i live
in, could i stop communicating
with their piece of junk? (although i find that an ugly solution :( )
maybe i get it all wrong??
Thanks :)
DsP