<..snip..>
i've heard the argument that dns should be part of the firewall
because ... to send email or web to foo.com ... it has to go
find the dns server first... than it will go to wherever its
directed ...thru the firewall next...
- and the problem is people like to attack the dns servers
- and you're lucky, it might have a backdoor into the lan...
- or whatever it might tell you...
<..snip..>
Some comments from my part...
You don't run DNS on the firewall... at least not a server. you
can sure
user it to resolve DNS addresses locally... I would not advise to
use your
firewall as a resolver for your internal LAN.
The best way is to use a seperate DNS system which resolves for your
internal
LAN and othet systems (mail, http, etc, etc). If if the DNS server
is only resolver
then access from the outside isn't necessary.
so you can make a rule that only DNS traffic is allowed to go out of
your network and
only IN your network if the connection is in the firewall it's state
table (if you use a statefull
inspection based firewall -- which I would prefer).
If people attack your DNS servers then your firewall isn't
compomised only the
DNS server. Access to the LAN isn't necessary... you just have
to build a DMZ which
seperates your internet systems from your local lan systems.
that's about it...
Just remember one thing...
Don't run services (DNS, sendmail) on your FW unless you have a $$$
problem that you can't affort more
systems to do the work. It can be used to compromise your FW and
therefor have a leap into your
LAN / DMZ.
Have fun BSD-ing
Brenno
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
