On 11/15/07, Jonathan Thornburg <[EMAIL PROTECTED]> wrote: > I'm setting up a home firewall, intended to (try to) protect "client" > machines (mostly family members' MS-Windoze laptops) from misc internet > threats. I have a couple of questions about how best to handle DNS > on/through the firewall: > > The purpose of this message is to ask for advice on how to handle > DNS on the firewall. I can see two basic options: > (a) When the firewall boots, after the outside network is configured > (via /etc/rc running dhclient) a shell/grep/perl script on the > firewall copies the DNS server addresses from /etc/resolv.conf > into /etc/dhcpd.conf, and only then does the firewall start its > dhcpd on the inside interface. dhcpd will then hand out the > (ISP-provided) DNS server addresses to clients at the same time > it gives them their local addresses, causing the clients to > directly query my ISP's DNS servers. > (b) The firewall's dhcpd is configured to tell clients that the > firewall itself is a DNS server. The firewall also runs a DNS > proxy (eg /usr/ports/net/totd or /usr/ports/www/squid,transparent). > Clients then query the firewall as a DNS server, and the firewall > (i.e. OpenBSD's resolver(3) routines in libc) queries my ISP's > DNS servers as needed, and (via the DNS proxy) passes the results > back to clients. > > (b) looks a bit harder to set up on the firewall (I need to configure > the DNS proxy whereas (a) just has to allow DNS traffic in /etc/pf.conf). > On the other hand, (b) also looks a bit more secure, because only > OpenBSD's resolver(3) routines are exposed to the outside world, not > the clients' resolvers. For the same reason, I suspect (b) might also > be a little less vulnerable to DNS cache-poisoning attacks. > > Questions: > * Are there other (significant) advantages/disadvantages of (a) vs (b) > that I haven't thought of? > * Are there other design options that I haven't thought of? > * What do other people do about DNS in firewalled home networks?
Even for a small network, I like having an internal zone for the local LAN--so I'd setup named with a master internal zone--and, by default, named will also query the root servers and act as cache for your local clients. However, if you don't want named querying the root servers, you can configure your ISP's name servers as forwarders.
