On Tue, 4 Dec 2001, Rick Brown wrote:
> This is a little off topic but I thought you guys
> would be the one's to ask. I only have a mail server
> and a web server (for web-based email access) in my
> DMZ. Do I have to have a DNS server in the DMZ or can
> I just use my ISP's DNS? I have an internal DNS
To host DNS, or to resolve queries?
> server(s). What are the drawbacks to using my ISP's
> DNS. I won't need to make very many DNS changes in
To resolve at the ISP:
Advantage- cache more likely to be populated.
security someone else's problem.
Disadvantage- security someone else's problem.
no control over cache/config.
To host at the ISP:
Advantage- Probably better bandwidth.
Hopefully redundancy.
Less of a headache to administer.
Disadvantage- Emergency updates suck.
Scheduled updates suck too[1].
security someone else's problem (think ex-employee changes)
The end result is that I generally recommend a local caching-only
nameserver to resolve queries for hosts/firewalls/desktops, and
outsourcing hosting DNS unless you really need to manage the update
process because of last-minute changes and have the appropriate multiple
facilities/power/route infrastructure and the will to update BIND every
week or so ;).
Your mail server should probably cache on itself anyway, delivery will be
much more reliable and quick.
Paul
[1] It's nice to be able to half the TTL for a while before a change until
you get it down to 5m or whatever to actually make the change, then come
back up with a low TTL to ensure you don't have to fall back. Most ISPs
have a TTL floor they won't go below.
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
