"Paul D. Robertson" wrote:
>
> On Fri, 7 Jan 2000, Bennett Samowich wrote:
>
> > Greetings,
[Snip!]
> > Where should a perimeter server (mail/web/other) get its DNS?
>
> How much data does it need to get, and how authoritative should it be?
>
> If it goes to an internal server or a secure external server you can take
> over domains if necessary. If you don't want it to do that, then why
> not have it do its own DNS and run a caching server locally?
I always recommend using an "Internet" DNS server and a "Local" DNS
Server.
The machines in the DMZ that are doing "Forwarding tasks" (Such as your
mail gateway) should use your internal DNS. This allows the mail servers
actions to be controlled from your internal DNS rather than having to
modify your external DNS (And giving away loads of info about your
internal network).
Your internet DNS should only contain the addresses of your DMZ-based
machines.
> > My thought is this:
> > If the server uses the internal DNS, a compromised server then knows
> > the internal topology. Not to mention the possibility of exploits into
> > the internal network.
>
> If you're using BIND8 internally, you can stop queries for internal zones
> for the external server. I typically use a fake TLD for internal hosts
> (which makes life much easier when people mail around internal URLs), so
> putting access restrictions on those zones is fairly easy.
I personally allow the DMZ machines to access the internal DNS, it's
simpler, more predictable, and relatively safe.
The problems of exploits into the internal network can be minimised by
constantly keeping your DNS server up-to-date.
Oh, and *always* use BIND8. (I await a stream of "BIND4 is better"
mails)
> > If the server uses the "fake" DNS then it knows nothing of the internal
> > addresses. This may or may not be a problem, but that is how I came to
> > this question.
>
> IMO, Web servers shouldn't use DNS at all. Mail servers need DNS, and
> they need to know about machines they need to reach. In the case of a
> heavily used server you'll want to cache locally anyway, so why not just
> point it at the root servers and be done with it?
I'd agree with that, Web servers should have no need for DNS.
The machines that normally require DNS at all are your Mail server
(Probably needing access to the internal DNS), and (If you have one)
your web-proxy (Using Internet DNS).
> Paul
Gav
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
