Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

DNS - Firewall

0 views
Skip to first unread message

mike

unread,
Jul 14, 2003, 12:51:38 PM7/14/03
to
How could I configure the DNS (resolv.conf) in my Firewall? To the
intern DNS in my Lan or extern to my provider?
What's the best and the right way concerning the security and
performance?

regards,
:-) mike

Todd H.

unread,
Jul 14, 2003, 1:29:54 PM7/14/03
to
m.m...@ny.com (mike) writes:

I don't have any specific experience to share, but I can share what I
know at a high level.

A split horizon method is typically what's ordered for this. There
are some secure DNS templates out there that work with AIX that give
examples:

http://www.cymru.com/Documents/secure-bind-template.html

The O'Reilly book on DNS and BIND is also strongly recommended.

I'm sure others will have additional resources they can share.

Best Regards
--
Todd H.
http://www.toddh.net/

Ida Young

unread,
Jul 14, 2003, 2:36:42 PM7/14/03
to
The firewall should use the internal DNS server if there is so that the
firewall can resolv the internal host name and address as well as the
external hostname and address.

With a firewall, you had better have an internal DNS server and an external
DNS server. The internal DNS server resolves the hostnames and IP addresses
for your internal machines and firewall. The external DNS server only
resolves your public services, and serves for users from Internet.

Ida Young
Support of ITShield firewall
http://www.itshield.com

"mike" <m.m...@ny.com> wrote in message
news:77a98267.03071...@posting.google.com...

Uli Link

unread,
Jul 14, 2003, 2:56:36 PM7/14/03
to

authoritative DNS for private network inside the firewall, that is
forwarding and caching request from clients.
You can restrict the DNS traffic between the nameservers of your provider
and one (or two) internal nameservers.
No DNS service on the firewall.

---
Uli


Eirik Seim

unread,
Jul 14, 2003, 5:05:02 PM7/14/03
to
On Mon, 14 Jul 2003 18:36:42 GMT, Ida Young wrote:
> "mike" <m.m...@ny.com> wrote in message
> news:77a98267.03071...@posting.google.com...
> > How could I configure the DNS (resolv.conf) in my Firewall? To the
> > intern DNS in my Lan or extern to my provider?
> > What's the best and the right way concerning the security and
> > performance?
>
> The firewall should use the internal DNS server if there is so that the
> firewall can resolv the internal host name and address as well as the
> external hostname and address.
>
> With a firewall, you had better have an internal DNS server and an external
> DNS server. The internal DNS server resolves the hostnames and IP addresses
> for your internal machines and firewall. The external DNS server only
> resolves your public services, and serves for users from Internet.

While this makes perfectly sense, a relevant question might be _why_ the
firewall needs to look up hostnames at all.

In essence, resolving hostnames mean relying on external (even if they are
on the inside of the firewall) information, which in my not so humble
opinion is a bad thing on a firewall. Someone might have good reasons for
this, but I fear most dont.

Followup-To set to comp.security.firewalls, please ignore if your answer
has something to do with AIX.


- Eirik
--
New and exciting signature!

Ben Kamen

unread,
Jul 20, 2003, 4:53:54 AM7/20/03
to
That's how I do it.

I know some people have worked out methods for machines with 2 NIC's or 2 IPs to
do split horizon based on NIC/IP... what a hassle. :)

Hardware is cheap. :)

I do the same thing though.

0 new messages