On Fri, 7 Jan 2000, Bennett Samowich wrote:
> Greetings,
>
> I have set up a perimeter network with a "fake" DNS server as described in
> "Building Internet Firewalls". My question is this:
What does BIF describe as a "fake" DNS?
> Where should a perimeter server (mail/web/other) get its DNS?
How much data does it need to get, and how authoritative should it be?
If it goes to an internal server or a secure external server you can take
over domains if necessary. If you don't want it to do that, then why
not have it do its own DNS and run a caching server locally?
> My thought is this:
> If the server uses the internal DNS, a compromised server then knows
> the internal topology. Not to mention the possibility of exploits into
> the internal network.
If you're using BIND8 internally, you can stop queries for internal zones
for the external server. I typically use a fake TLD for internal hosts
(which makes life much easier when people mail around internal URLs), so
putting access restrictions on those zones is fairly easy.
> If the server uses the "fake" DNS then it knows nothing of the internal
> addresses. This may or may not be a problem, but that is how I came to
> this question.
IMO, Web servers shouldn't use DNS at all. Mail servers need DNS, and
they need to know about machines they need to reach. In the case of a
heavily used server you'll want to cache locally anyway, so why not just
point it at the root servers and be done with it?
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
