Eliyah,
If this DNS server is only for forwarding DNS requests from your
internal network to a DNS server on the internet (ISP DNS server)
You only need to make a rule like:
Internal DNS server -> External DNS server -> 53 / udp -> accept
Because Checkpoint uses "statefull inspection" (only from sp2 true statefull
inspection) the traffic should be allowed to come in too (because the
connection is the firewall it's state table)
This should be enough to let your internal DNS server talk to the
external DNS server. In this way someone can't access your internal
DNS server from the internet (which adds some level of security).
There are some known problems when only allowing DNS UDP queries
to go out your firewall. Although DNS TCP is only for zonetransfers
it is sometimes recommended to allow DNS TCP to go out to your
ISP DNS servers.
I think this will add a nice level of DNS security. (not to mention the
security level of your internal DNS server).
hope this helps
Regards,
Brenno
> -----Original Message-----
> From: Eliyah Lovkoff [SMTP:[EMAIL PROTECTED]]
> Sent: woensdag 25 april 2001 21:03
> To: [EMAIL PROTECTED]
> Subject: Secure DNS setup
>
> have 3 NICs on the firewall (CP2000 SP3 on Solaris) - for DMZ,LAN,and
> Punlic.
> My DNS server resides on LAN network(not on DMZ).This DNS server acts a s
> a
> forwarder to the DNS servers on the ISP site.
> I want to secure DNS communications but I'm not sure what is the way to
> set
> it up...
>
> First scenario:
> ANY > Internal_DNS > domain-udp > Accept
> Internal_DNS > ANY >domain-udp > Accept
>
> 1. Is it a correct way to secure DNS communication or is there anything
> else
> that must be done?
> 2. Should I replace ANY with DNS addresses of ISP servers,thus restricting
> DNS communications to communications between mu DMS and ISP's DNS server?
> 3. Should I include domain-tcp also to be able to perform zone transfers
> between my dns and ISP's?
>
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
