Running a caching DNS server on a firewall is a perfectly valid
architecture. It's called an "Application Level Gateway", remember?
Don't tar all DNS implementations with BIND's brush.
The same goes for SMTP, FTP and HTTP. Running those services on a firewall
(as secure proxies) is a good architecture. If your firewall consists of
several different physical boxes, with one box per service and a service
manager box that just redirects connections to the appropriate proxy, then
all the better.
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
[...]
> DNS is an exploitable service. Putting it on the firewall makes
> for a firewall you can't trust.
>
> David Gillett
[...]
> > On Mon, 7 May 2001, Carl E. Mankinen wrote:
> > > If you agree
> > > to running DNS on your fw, why not other services like
> SMTP, FTP, HTTP, etc etc?
[...]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
