hi carl
you have secondary dns if the priamry dns machine dies...
you usually dont' have a secondary firewall... if it dies...
so you are still sol till you fix the firewall
I dont necessarily recommend dns to run on the firewall
except when absolutely needed
( when i am forced to have only 2 servers...
( and one has to be a firewall... the other server
( would be internally accessed only..
your question...if we allow dns on the fw,
why NOT other services like smtp, httpd, ftp ???
- because....those protocals are NOT required to
find the domain called foo.com and direct incoming
queries to the proper servers
- first you hit the dns server...than the firewall
- take away the primary and secondary dns
and nobody will find your firewall
- it'd be really foolish to add those other services
to the firewall
- it'd be equally foolish to have "open" firewall rules
as is some of the stuff i've seen/heard on the fw
acting as if there was not firewall cause they didnt
configure it correctly
if they only have the budget/"upper management" for 2 systems...
my comments would be:
- server1: firewall + dns
- server2: email/web/pop/etc internal to the firewall
- is usually add...dont you have some 486 box that we
can make into a fw and another to be the dns server...
and use server1 for backups...
remember...you cannot find the firewall till you first find
the primary or secondary dns...
- primary dns should be the same level of lockdown
as a firewall or the loghost machines
i prefer one server per major function...but one does not
always get the $$$ or the time to properly maintain um all
- firewall by itself
- dns by itself
- loghost by itself
- email by itself
- web by itself
- home server by itself
- ssh/authentication server
- db server by itself
- pop3 server by itself
- ppp server by itself
- ftp server by itself
- backup server by itself ( full and separate incremental )
- etc..etc...
- now how many of us all have these happily separated servers...
"itself" -->> no other services running
( it should be separated for various reasons...
have fun
alvin
On Mon, 7 May 2001, Carl E. Mankinen wrote:
> You would recommend running DNS daemon on the firewall?
>
> That sounds pretty scary to me. Lots of reasons why I would not do this:
>
> Firewall should be locked down as much as humanly possible and all unnecessary
>system files quarantined. It should be as close to an
> appliance as you can get it without preventing FW1 from running, this is not very
>conducive to running other services. If you agree
> to running DNS on your fw, why not other services like SMTP, FTP, HTTP, etc etc?
>
> What happens in the case of one of those services being compromised or a system
>failure (electrical/mechanical etc) ? Do you end up
> rebuilding your firewall or causing an outtage for all those services while you fix
>it? Putting your eggs in one basket is a sure
> way to end up with no breakfast.
>
> I think I would prefer using seperate bastion host as DNS server myself.
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
