DNS with firewall configuration assistance required!
Ingo T. Storm
bind at computerbild.de
Wed Jun 14 07:44:06 UTC 2000
> I don't exactly understand the firewall architecture you're describing,
but
> I can tell you that the nameserver never looks at resolv.conf.
LAN - internal DNS(s) - Bastion w/ ext. DNS - Internet
As in these architectures the Bastion host will most probably be an mx relay
and proxy too, it uses the internal DNS.
> I don't know why the book doesn't recommend this. Perhaps it was written
> before it was feasible to run multiple nameserver instances on one box
> (using "listen-to", "pid-file" and so forth)?
Probably 'cause it's just more difficult to configure two named-s on one
machine that two different machines.
> Do they perhaps think that > hamstringing the bastion host like this
> -- making it dependent on another server and thus multiplying
> potential points-of-failure -- enhances security somehow?
I can see your point. But because you will have to have at least 2 internal
servers anyway, I don't buy it. I'd agree your suggested setup is "cleaner",
but I find the above (and mine;-) more easy to handle. ndc with two named
processes is nothing I really fancy.
So let's just wait and see what BIND 9 has in store;-)
Cheers,
Ingo
More information about the bind-users
mailing list