You would recommend running DNS daemon on the firewall?
That sounds pretty scary to me. Lots of reasons why I would not do this:
Firewall should be locked down as much as humanly possible and all unnecessary system
files quarantined. It should be as close to an
appliance as you can get it without preventing FW1 from running, this is not very
conducive to running other services. If you agree
to running DNS on your fw, why not other services like SMTP, FTP, HTTP, etc etc?
What happens in the case of one of those services being compromised or a system
failure (electrical/mechanical etc) ? Do you end up
rebuilding your firewall or causing an outtage for all those services while you fix
it? Putting your eggs in one basket is a sure
way to end up with no breakfast.
I think I would prefer using seperate bastion host as DNS server myself.
----- Original Message -----
From: "mouss" <[EMAIL PROTECTED]>
To: "Alvin Oga" <[EMAIL PROTECTED]>
Cc: "Alvin Oga" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Monday, May 07, 2001 10:26 AM
Subject: Re: fw + dns ( was RE: )
> Hi Alvin,
>
> At 07:00 07/05/01 -0700, Alvin Oga wrote:
>
> >hi ya mouss...
> >
> >just curious.... when you say:
> >
> > > I'll always run DNS on the FW.
>
> I like configuring the FW to respond for the limited public IPs of a domain,
> and configure an internal DNS for insiders, which is slave to the FW's one.
>
> I know people would say, "oh but then you have a possibly vulnerable piece
> of soft on
> the FW", but then I'll say that it's the only manageable situation
> (compared to having
> your DNS at your ISP, who is as all ISPs just a sucking company trying to
> get money
> by giving you connectvity with a pool of incompetent people. Well, I hope
> not all ISPs
> are like that, but those I knew....). Putting the server on a DMZ doesn't
> change things
> seriously enough.
>
>
>
> >the reasoning i hear....( and somewhat concur )
> >
> >when anyone on the net wants to find {mail,www}.foo.com...
> >that the folks on the net would find the dns server first
> >than go to the ip# where its directed...
> >
> >- note too that sometimes, people use a secondary DNS server
> > that is not their own...
>
> they should. That was required in the past...
>
>
> >- we also assume, the dns sserver would not disclose the internal
> > vpn connections etc...
>
> I hope so!
>
>
> >maintaining security for DNS + FW might be easier than
> >maintaining it for 2 different servers ( dns and fw )...
> >esp if its at different rev levels and/or different vendors ??
> > ( there are many versions/permutations for dns too )
> >
> >for the "linux basics"... ( same == same version/patch level )
> >most all distros run the same kernel, same bind, same libc,
> >same gcc, same "syscall", same bash, same cron, same ssh,
> >same ipchains, etc..etc..
>
> dunno what do you mean here. I'd prefere a debian if I have to linux!
> (but that's mostly personnal. I don't have enough args to go for a battle
> on that)
>
> >whats different is all the linux distro's add/subtract their own
> >tweeks to teh "basic cdrom" they distribute
>
> most problems come from the fact that the default install and default software
> are not really meant for a FW but for a "usable" machine. That's normal, since
> there are less FWs than desktop machines.
>
>
> >lots of issues... guess thats the fun of all this stuff
>
> someday there'll be so many FWs based on open source that we'll have nothing
> to say about the underlying OS. for now, we have to keep with "generic" OSes
> (the alternative being going for commercial prods, but they aren't that
> better).
>
> >and yes...one usually makes do with the design/implementation
> >and security of the network...within the budget...and if its
> >a sitting duck for disaster...time to pass on it and move onto
> >a better client/employeer ??
>
> I tend to follow the same approach! if they suck, move on!
>
>
> cheers,
> mouss
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
