Ideal location of external DNS
Adam Lang
aalang at rutgersinsurance.com
Thu May 31 18:07:33 UTC 2001
I'd say anything on the firewall that does not specifically have to do with
the firewall should NOT be on it. If someone gets root through that other
service, they can take down your firewall and then you are hosed.
Have the DNS server on a separate box behind the firewall. Use port
forwarding/nat to route queries over port 53 to the internal bo that houses
your DNS server.
Adam Lang
Systems Engineer
Rutgers Casualty Insurance Company
http://www.rutgersinsurance.com
----- Original Message -----
From: "David Frank" <david at datachannel.com>
To: <bind-users at isc.org>
Sent: Thursday, May 31, 2001 1:41 PM
Subject: Ideal location of external DNS
> I have recently taken over for our Senior admin and have re-built all or
> our internal DNS servers. Our external DNS server also resides on our
> firewall (FYI). My issues are threefold.
>
> 1. The fact that we do not have redundancy is absurd, so I am going
> to build an external slave name server.
>
> 2. I need to figure out the most secure place to house the secondary
> external DNS server.
>
> 3. Is it really a good idea to have external DNS on our firewall
> box?
>
> My question is: What is the best scenario for external DNS; DMZ
> interface statically nat'd with DNS ports open through the firewall, or
> internal box statically nat'd with DNS ports open.
> I realize my experience is limited and these questions might seem
> trivial to some, but any assistance would be much appreciated.
>
> Thank you,
>
> David Frank
>
>
More information about the bind-users
mailing list