Not to state the obvious but for the benefit of all, I use two DNS servers
as Tony suggested.. One DNS is behind the firewall and is used by internal
workstations and servers. The other DNS is outside the firewall and on the
DMZ. These two DNS servers DO NOT exchange zone information with each other.
The ONLY records on the outside DNS are the ones necessary for communication
to hosts available externally to the company. That way there is no chance of
learning the internal network infrastructure by compromising the outside
DNS. I realize that this results in a larger administrative overhead and a
slightly higher cost, but it really is not that much when you consider what
kind of security it gives you to leave the outside queries .. outside the
firewall. As Tony points out, if you compromise the external server, you
still have to get through the firewall.
Lance
----- Original Message -----
From: "Tony Rall" <[EMAIL PROTECTED]>
To: "Edward Ingram" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, April 12, 2001 9:12 PM
Subject: Re: Which port(s) to allow through for DNS server
>
> Have you looked at your firewall logs to see what might be getting
blocked?
>
> To fully support dns you should allow both 53/udp and 53/tcp into your
> nameserver. (Please, list, let's not argue once again about the need for
> tcp - it's required by the RFCs and some things break if you don't allow
> it.)
>
> And, of course, you must allow the response traffic back out - source port
> 53 on your nameserver, any destination port.
>
> You should be aware that running a nameserver this way (inside the
> firewall, but allowing queries from the Internet) exposes your internal
> network more than most of us would accept. It was just a few weeks ago
> that a bind daemon compromise was found for most then extant versions.
> Better security is obtained by running a separate nameserver on your dmz
> (outside your main firewall). Yes, such a server is still exposed, but if
> it's compromised the attacker still has to get through the firewall to
> feast on your internal network.
>
> Tony Rall
>
>
> "Edward Ingram" <[EMAIL PROTECTED]>@Lists.GNAC.NET on 2001-04-12
> 17:42:03
> I have a DNS server inside our firewall. People outside the firewall
> (Universe) need to access this DNS server to resolve requests. I've tried
> opening up UDP 53 on the firewall, but requests still aren't going
through.
> I know the DNS server is working because it fulfills requests sent to it
> from clients on the inside of the firewall. Is that the right port to
use?
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
