So if I set up my ISP's nameservers as forwarders on my internal DNS server, what traffic do I need to allow through my Checkpoint firewall? What can I do to make it as secure as possible? My first thought was to allow inbound & outbound UPD 53 only between my internal DNS servers and the ISP's DNS servers. I disabled recursion on my internal DNS servers and I obviously don't want zone transfers from outsiders. Any thoughts? --- Paul Robertson <[EMAIL PROTECTED]> wrote: > On Tue, 4 Dec 2001, Rick Brown wrote: > > > This is a little off topic but I thought you guys > > would be the one's to ask. I only have a mail > server > > and a web server (for web-based email access) in > my > > DMZ. Do I have to have a DNS server in the DMZ or > can > > I just use my ISP's DNS? I have an internal DNS > > To host DNS, or to resolve queries? > > > server(s). What are the drawbacks to using my > ISP's > > DNS. I won't need to make very many DNS changes > in > > To resolve at the ISP: > > Advantage- cache more likely to be populated. > security someone else's problem. > > Disadvantage- security someone else's problem. > no control over cache/config. > > To host at the ISP: > > Advantage- Probably better bandwidth. > Hopefully redundancy. > Less of a headache to administer. > > Disadvantage- Emergency updates suck. > Scheduled updates suck too[1]. > security someone else's problem (think > ex-employee changes) > > The end result is that I generally recommend a local > caching-only > nameserver to resolve queries for > hosts/firewalls/desktops, and > outsourcing hosting DNS unless you really need to > manage the update > process because of last-minute changes and have the > appropriate multiple > facilities/power/route infrastructure and the will > to update BIND every > week or so ;). > > Your mail server should probably cache on itself > anyway, delivery will be > much more reliable and quick. > > Paul > [1] It's nice to be able to half the TTL for a while > before a change until > you get it down to 5m or whatever to actually make > the change, then come > back up with a low TTL to ensure you don't have to > fall back. Most ISPs > have a TTL floor they won't go below. > ----------------------------------------------------------------------------- > Paul D. Robertson "My statements in this > message are personal opinions > [EMAIL PROTECTED] which may have no basis > whatsoever in fact." > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls
__________________________________________________ Do You Yahoo!? Buy the perfect holiday gifts at Yahoo! Shopping. http://shopping.yahoo.com _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
