this is called 'split dns' and is almost prerequisite for a secure
environment.
>From: "Tony Rall" <[EMAIL PROTECTED]>
>To: "Edward Ingram" <[EMAIL PROTECTED]>
>CC: <[EMAIL PROTECTED]>
>Subject: Re: Which port(s) to allow through for DNS server
>Date: Thu, 12 Apr 2001 18:12:08 -0700
>
>
>Have you looked at your firewall logs to see what might be getting blocked?
>
>To fully support dns you should allow both 53/udp and 53/tcp into your
>nameserver. (Please, list, let's not argue once again about the need for
>tcp - it's required by the RFCs and some things break if you don't allow
>it.)
>
>And, of course, you must allow the response traffic back out - source port
>53 on your nameserver, any destination port.
>
>You should be aware that running a nameserver this way (inside the
>firewall, but allowing queries from the Internet) exposes your internal
>network more than most of us would accept. It was just a few weeks ago
>that a bind daemon compromise was found for most then extant versions.
>Better security is obtained by running a separate nameserver on your dmz
>(outside your main firewall). Yes, such a server is still exposed, but if
>it's compromised the attacker still has to get through the firewall to
>feast on your internal network.
>
>Tony Rall
>
>
>"Edward Ingram" <[EMAIL PROTECTED]>@Lists.GNAC.NET on 2001-04-12
>17:42:03
>I have a DNS server inside our firewall. People outside the firewall
>(Universe) need to access this DNS server to resolve requests. I've tried
>opening up UDP 53 on the firewall, but requests still aren't going through.
>I know the DNS server is working because it fulfills requests sent to it
>from clients on the inside of the firewall. Is that the right port to use?
>
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
