Whoa whoa whoa...
First of all, you _need_ to run DNS on the firewall for external DNS to work
at all. This is all as it should be because it's not a packet filter,
remember? DNS is what some people have called a "self proxying service" in
that you use DNS servers to proxy DNS requests. So yes - Gauntlet has a DNS
proxy in that sense. [1]
Sure you _could_ hack in packet filter rules to allow DNS requests in and
out to your internal DNS server - hell, why not just allow ICQ while you're
at it?
In other words - answer to the first part of the question - it's a Good
Idea.
However, it is bad bad bad to use the firewall as your DNS server for the
outside world - read the documentation that came with the firewall and it
will tell you that quite clearly.
I guess the "recommended" config is to run a DNS in the DMZ if you're
providing your own DNS. I always con a friendly ISP into running the primary
unless changes will be constant.
On a sadder note, I'm having the same problem as Bernd in that I can't get
MS DNS to forward through the MS DNS on the firewall yet (the server
originating requests is a full production box so I haven't downed it to try
SPs yet 8b ). The config I'm running to tide me over is to run the DNS ONLY
on the internal interface (as has been mentioned) and not to keep any DNS
info about internal hosts - it doesn't even have a "zone". It just forwards
to the outside world as a slave. This may or may not be possible for you (I
can get away with it because it's all MS stuff and I can use WINS).
I love the term "cache poisoning" - it's one of the things I talk vaguely
about with non-computer friends to make it sound like I'm in some exciting
espionage world instead of boring computer rooms ;)
[1] Yeah, that's flippant. I can think of some cases where it would be cool
to proxy UDP to a Unix box running BIND or something. However, the ONLY
reason to write such a proxy would be because there was no native DNS server
that runs on the firewall that was any good, and that might be politically
difficult to say for NAI.
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
Direct Dial: (08) 8422 8319 Mobile: (0414) 411 520
-----Original Message-----
From: Bernd Eckenfels [SMTP:[EMAIL PROTECTED]]
Sent: Friday, May 07, 1999 6:47 AM
To: Sloan, Scott
Cc: Firewalls (E-mail)
Subject: Re: Microsoft DNS
On Thu, May 06, 1999 at 12:05:34PM -0400, Sloan, Scott wrote:
> Would I run into a risk running Microsoft's DNS caching service on
a
> Gauntlet NT firewall box? Would it be possible for someone to
poison my
> cache? If so, what's the best configuration?
I have problems with my forwardes it keeps forgetting them every
time i open
the dns admin... unfortunatelly on that box i cant use SP3 or SP4...
dlls
are grand broken but its my primary intranet server, so i am sticked
to
fixing that every now and then... perhaps its a warning for you...
you can
on the other hand use bind...
Is there no DNS Proxy in Gauntlet?!? I mean a firewall which costs
more than
a small car...
Greetings
Bernd
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
