On Thu, Apr 12, 2001 at 11:35:18PM -0400, Lance Ecklesdafer wrote:
> Not to state the obvious but for the benefit of all, I use two DNS servers
> as Tony suggested.. One DNS is behind the firewall and is used by internal
> workstations and servers. The other DNS is outside the firewall and on the
> DMZ. These two DNS servers DO NOT exchange zone information with each other.
> The ONLY records on the outside DNS are the ones necessary for communication
> to hosts available externally to the company. That way there is no chance of
> learning the internal network infrastructure by compromising the outside
> DNS.
This feature can also be accomplished with a single instance of tinydns
(djbdns package) using location codes, or, iiuc, with "views" in later
BINDs (could be wrong here, haven't tried it).
Although admittedly you may still be better off having two machines
handle this, in the event the 'external' is compromised (notwithstanding
other attacks that will be mounted against you once your outer machine
is taken over).
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
