> -----Original Message-----
> From: j2 [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, September 19, 2000 8:40 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Ports for DNS
>
>
> > > I want to place my Primary DNS in DMZ and Secondary DNS
> in my local
> > > LAN (Behind Firewall). What services and ports I need to
> enable on the
> > > firewall.
>
> If I have missed something let me know...but why in the name
> of creation do
> you need 2 DNS servers..let alone 1 outside the firewall????!?!?
Like
> leaving a jar of honey sitting near an anthill...
generally accepted best-practices calls for every domain to have 2
separate DNS servers, preferably with distinct connections to the
internet. That's so when one goes down, there's still an authoratative
nameserver (although nowadays, most places cache for a long long time,
still).
Putting them outside the firewall (or at least on less trusted
segment, known in marketing parlance as a DMZ) is the ONLY sensible
thing to do. After all, you HAVE to give the outside world access to
them, which means that someone is going to try to do one of the many
many exploits available against them. If (When) they succeed, you
don't want them to be on your internal LAN.
Any publicly accessible server is equivalent to a jar of honey near an
anthill; for that reason, you put only one jar of honey, not the whole
stock, where the ants can get to them. And preferably, you pay close
attention to who/what has been poking there noses in it. :-).
Henry
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
