On Tue, 19 Sep 2000, BabuVS wrote:
> Hi,
> I want to place my Primary DNS in DMZ and Secondary DNS in my local
> LAN (Behind Firewall). What services and ports I need to enable on the
> firewall.
This is generally a *very* bad idea. That means that any DNS bug (and
over the last few years that's been quite a lot of bugs) can potentially
give an attacker direct access to a machine sitting on your local LAN.
It's a much better idea to harden individual servers that have publicly
accessable content (DNS, Web Servers...) and place them either outside the
firewall on a DMZ, or off a completely seperate interface on the firewall
on a "Service Network."
It's also a bad idea to put both of your nameservers on the same network,
as a network, connection or gateway failure will result in total
nameservice failure. This is especially bad if you've got outsourced Web
servers, backup mail exchangers or plan on such future growth.
DNS uses ports 53 for both the TCP and UDP protocols.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
