In principle, You should allow TCP 53 too. TCP is used for queries which are more than 512bytes.. Which usually are zone transfers but might not be.
rgds, Harri -----Original Message----- From: ext Hiemstra, Brenno [mailto:[EMAIL PROTECTED]] Sent: 05 December, 2001 16:05 To: 'Rick Brown'; [EMAIL PROTECTED] Subject: RE: DNS forwarding through FW-1 (was DNS in DMZ) If you are only initiating a DNS connection FROM your internal network then a rule that allows DNS UDP from your internal DNS server to the DNS servers of your ISP... this should be enough for local network resolving... then no one from outside can contact your internal DNS server > -----Original Message----- > From: Rick Brown [SMTP:[EMAIL PROTECTED]] > Sent: woensdag 5 december 2001 15:35 > To: [EMAIL PROTECTED] > Subject: DNS forwarding through FW-1 (was DNS in DMZ) > > So if I set up my ISP's nameservers as forwarders on > my internal DNS server, what traffic do I need to > allow through my Checkpoint firewall? What can I do > to make it as secure as possible? My first thought > was to allow inbound & outbound UPD 53 only between my > internal DNS servers and the ISP's DNS servers. I > disabled recursion on my internal DNS servers and I > obviously don't want zone transfers from outsiders. > Any thoughts? > --- Paul Robertson <[EMAIL PROTECTED]> wrote: > > On Tue, 4 Dec 2001, Rick Brown wrote: > > > > > This is a little off topic but I thought you guys > > > would be the one's to ask. I only have a mail > > server > > > and a web server (for web-based email access) in > > my > > > DMZ. Do I have to have a DNS server in the DMZ or > > can > > > I just use my ISP's DNS? I have an internal DNS > > > > To host DNS, or to resolve queries? > > > > > server(s). What are the drawbacks to using my > > ISP's > > > DNS. I won't need to make very many DNS changes > > in > > > > To resolve at the ISP: > > > > Advantage- cache more likely to be populated. > > security someone else's problem. > > > > Disadvantage- security someone else's problem. > > no control over cache/config. > > > > To host at the ISP: > > > > Advantage- Probably better bandwidth. > > Hopefully redundancy. > > Less of a headache to administer. > > > > Disadvantage- Emergency updates suck. > > Scheduled updates suck too[1]. > > security someone else's problem (think > > ex-employee changes) > > > > The end result is that I generally recommend a local > > caching-only > > nameserver to resolve queries for > > hosts/firewalls/desktops, and > > outsourcing hosting DNS unless you really need to > > manage the update > > process because of last-minute changes and have the > > appropriate multiple > > facilities/power/route infrastructure and the will > > to update BIND every > > week or so ;). > > > > Your mail server should probably cache on itself > > anyway, delivery will be > > much more reliable and quick. > > > > Paul > > [1] It's nice to be able to half the TTL for a while > > before a change until > > you get it down to 5m or whatever to actually make > > the change, then come > > back up with a low TTL to ensure you don't have to > > fall back. Most ISPs > > have a TTL floor they won't go below. > > > -------------------------------------------------------------------------- > --- > > Paul D. Robertson "My statements in this > > message are personal opinions > > [EMAIL PROTECTED] which may have no basis > > whatsoever in fact." > > > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls > > > __________________________________________________ > Do You Yahoo!? > Buy the perfect holiday gifts at Yahoo! Shopping. > http://shopping.yahoo.com > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
