> Then bind 'named' (or whatever DNS server you are using), to the internal > NIC only. > > Now, internal requests will never leave your internal network and you > don't have to futz with resolve.conf and no one on the outside of the > network will be able to query it. > > The downside to this is that you have to maintain two seperate DNS > servers, one for the public world and one for your internal private > network.
As this is a firewall box, it's a good idea that it's done this way. In order for the outside world to make queries to that box, you'd have to leave UDP port 53 open. Most stateless packet filter firewalls for linux (2.2.x) will let attackers walk right through UDP 53 because of that. tack
