Cashing DNS, Wingate DNS and security policy!

[Deju]

Hi!

Wingate 6.1.2 Ent. (2 NICs WAN, LAN 192.168.1.1) with services:
- Web Proxy
- FTP Proxy
- ENS (NAT)
- DNS Service
- Remote Control (for managing)
System Policy -default; I entered all users in Wingate and assumed them to their ip. All users have static ip (subnet 192.168.1.0)
I have DNS Server on ip 192.168.1.100 (also assumed as user "DNS"). I setup it as cash DNS server and all requests it forward to Wingate DNS. Everything works well, but..... Sometimes I have problems in resolving names(I don't know why?), and internal DNS wants to connect to inernet (by NAT) to DNS servers which I setup as additional servers for forwarding. But I restrict to connect users from LAN to port 53 (TCP) (security..). How can I permit it only for my DNS server and only to providers ip-adress?????

[adrien]

Hi

If you want to only allow your DNS server to use NAT to connect to a specific DNS server on the internet, you need to figure out what sort of other access you want to allow other clients.

For example, the default policies for NAT allow all access. To restrict users so only the DNS server can access Internet DNS, then you need to remove the access to DNS for other users first.

For example, change your policies for ENS so that

recipient 1.
* can do anything except where protocol is UDP and destination port is 53

recipient 2
* can do anything, where source IP is your DNS server.


How do you have your policies set up for NAT at the moment?

[Deju]

adrien, thanx!

at that moment.. any user from LAN can connect only on ports 80, 443, 21 by Proxy and on port 1630 by NAT (we have another office, and this port is using for special application).

Computer with DNS server have only to access DNS ports, SNTP ports of time servers by NAT.
Other users have only to access one machine in Internet by NAT(domain:port )!!

Mail Server (Mdaemon) is on WG machine.(default gateway for users)