On Tue, 20 Oct 2015 01:08:42 -0600 Devin Reade <[email protected]> wrote: > > > > On Oct 19, 2015, at 18:26, Karl O. Pinc <[email protected]> wrote: > > > But if you write DNS names into your pf.conf > > file then step 2 can be eliminated. All > > that's required is to reload the rules. > > > > Eliminating an extra editing step reduces > > error. > > Unless of course your DNS is on your LAN and after a major power > outage everything is trying to cold boot at once, and now your pf > rules won't resolve because no DNS is available.
Exactly. That's why an essential part of the design is to have a slave DNS server for your authoritative zones on the firewall itself. (The firewall need not have a NS record, or serve DNS to anything but itself.) This ensures that authoritative names will always resolve on the firewall, at least until the slave zones timeout because of problems reaching the DNS master. But, since a month is a reasonable timeout, if that happens you've got bigger problems and have had them for a long time. See the first message in the thread for more details regarding ensuring that slave DNS server is there when pf rules load at boot. Thanks for the feedback. I'd love to hear further critique. Regards, Karl <[email protected]> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein
