The outside-the-firewall servers should not know anything about
the DNS of your inside-the-firewall. They should know only as
much as the other machines on the Internet.
One way to set this up is to have your firewall run DNS, as
caching only, run your /etc/resolv.conf pointing to your inside
DNS, run your inside DNS as forwarding to the firewall.
Requests that originate on the firewall, go to inside DNS, then
through the firewall if they are for non-inside names.
-----Original Message-----
From: Bennett Samowich [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 07, 2000 10:42 AM
To: Firewalls
Subject: Who provides DNS for the perimter?
Greetings,
I have set up a perimeter network with a "fake" DNS server as described in
"Building Internet Firewalls". My question is this:
Where should a perimeter server (mail/web/other) get its DNS?
My thought is this:
If the server uses the internal DNS, a compromised server then knows
the internal topology. Not to mention the possibility of exploits into
the internal network.
If the server uses the "fake" DNS then it knows nothing of the internal
addresses. This may or may not be a problem, but that is how I came to
this question.
Thanks in advance,
- Bennett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
