sorry I'd have to disagree a split DNS is a must, but it would make more
sense on the external interface as form most firewalls the DMZ is regarded
as an internal interface. As for the proxy you could put it there, however
you will find that you will have to set up rules on the firewall that allow
traffic to the proxy (through the firewall) and rules to allow it from the
proxy out (through the firewall) so you end up with two sets of rules that
can easily be mixed up. It is easier to put the proxy on the internal side
and let the firewall direct traffic out to the internet. One set of rules,
and one location from which outgoing traffic is allowed.
Mark
PS my opinion and not the Banks.
-----Original Message-----
From: Dave Gillett [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, 27 July 1999 05:24
To: [EMAIL PROTECTED]
Subject: Re: Proxy/DNS in a DMZ
*** This E-Mail has been checked by MAILsweeper ***
On 25 Jul 99, at 21:12, Somebody Somewhere wrote:
> Is it a better idea to set up the proxy and DNS servers on an internal
> network or on a DMZ?
Proxy, I would put in the DMZ -- then the only connections to your inner
servers that transit the firewall are between them and the proxy. I don't
see an internal proxy doing much good.
DNS that answers external queries should be in the DMZ. If your internal
servers use DNS to locate each other, provide an internal DNS as well, that
quereies the DMZ DNS for any non-local requests. External requests should
never come to the internal DNS.
David G
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
