I think the time has come for a new answer to this question.
<URL:http://cr.yp.to/dnscache.html>
There's lots of bits and pieces there, but for many discussions the
heart of it is dnscache and tinydns. The first one is nothing but a
caching dns proxy, small, fast, efficient, intended to be free of
every kind of security problem that's not unavoidably provided by
the protocol. And tinydns is a simple server for a zone. Used in
combination they can provide a great many alternatives. For a DMZ,
I'd tend to rig the machines to use hosts files and no DNS at all
for the most part. There are only two places where DNS is needed,
and they could easily be combined on the same machine. Make the
email server do double duty as the public dns server. Run tinydns
on its external interface, and dnscache on its internal, with the
latter configured to look at the former for your forward and reverse
domains. If you need to be able to support zone transfers there are
components for that as well, but I'd rather just rsync-over-ssh the
data to any "secondaries" I wanted to keep up-to-date.
-Bennett
PGP signature
