On Tue, 2009-08-04 at 09:26 -0700, Eric Shubert wrote: > Craig White wrote: > > On Tue, 2009-08-04 at 08:10 -0700, Eric Shubert wrote: > >> Once you have a caching nameserver set up on an orange host, any > >> additional servers on the orange subnet can use that resolver as > >> well. > >> You might need to tweak the config a little to allow other machines > >> to > >> query it though - I'm not sure how tight the default configuration is > >> for caching-nameserver. > > ---- > > that is probably a bad security risk though if you are careful with > > iptables rules, you can be specific about which hosts are allowed to > > access port 53 (udp/tcp). > > > > Craig > > > > > I don't think the risk would be very high: > .) IPCop wouldn't allow access from outside of the orange subnet. > .) installing chroot-bind reduces the risk as well. ---- I could be wrong about this but my understanding of a DMZ is that it would be mapped to a public IP address and nothing would be filtered at all inbound from untrusted Internet and thus the services are exposed to everyone, which is why DMZ is not allowed to access the 'green' network. DMZ systems are just routed public addresses. You can probably add filtering/firewalling on IPCop for DMZ hosts if you choose but I don't know that. Bind servers have a history of being exploited and unless you are willing to do the research in order to secure a public DNS service, just don't do it.
Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
