I assume this is for serving DNS information to the outside world ie where you have a
domain and want others to know about it. The trade-off between inside/outside is the
possible exploits someone could use against you if you allow external communication
into your network (ie for DNS) vrs keeping the external DNS server secure. Initially
a proxy might look like a good idea since the DNS server is protected by the firewall
and you are not allowing packets inwards however this would depend on how much app
level checking the proxy did: probably not much and it can't be aware of yet unknown
attacks. Just letting packets intended for your DNS server is no better as it opens
you to malformed IP/UDP exploits and depending on your filters trojans might be able
to use this as a data channel. So your left with using a specialist DNS server in a
DMZ (either interpretation of the DMZ ie protected by the firewall on a third
interface or unprotected on the outside) which demands you sec!
!
ure the server and assume that i
t can be cracked. You might consider using your ISPs DNS server since they *have* to
have an external DNS server so you pass the responsibility to them.
HTH,
Steve
On Sun, Jul 25, 1999 at 09:12:19PM -0700, Somebody Somewhere wrote:
> Hello all,
>
> Simple question I hope:
>
> Is it a better idea to set up the proxy and DNS servers on an internal network or
>on a DMZ?
>
> pros and cons of each set up and any other info would be very much appreciated.
>
> Thanks a lot.
>
>
>
>
> __________________________________________________________________
> Get your own free England E-mail address at http://www.england.com
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
--
"Hacker, terrorist, pornographer, drug trafficker,"
"That's it -- the four horsemen of the Apocalypse."
J.Granick referring to the US publics fears.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
