Brian, The purpose of putting a machine in your DMZ is that it's segregated from the rest of your trusted machines; if any of your DMZ machines get "hacked", the impact to your internal resources is minimal. No one who compromises your DNS server, if it's in the DMZ, has a "jumping-off point" to your inside network.
If you want to run a globally-accessible DNS server inside, there's really nothing stopping you other than needing a static mapping of your internal IP address and a conduit or (if you're running Finesse 5.0? or above) an ACL. If you put the server in the DMZ or the inside, the access list would be the same: access-list acl-outside permit tcp any host static.outside-address.of.DNS-server eq domain access-list acl-outside permit udp any host static.outside-address.of.DNS-server eq domain ...<any other permit rules for services running on this box>... access-list acl-outside deny ip any host static.outside-address.of.DNS-server Those are just my thoughts on this, though. Anyone with better ideas are welcome to chime in. :) Chris Swinford Long-time lurker, first time writer... :-P -----Original Message----- From: Brian Guild [mailto:[EMAIL PROTECTED]] Sent: Friday, March 22, 2002 2:39 PM To: [EMAIL PROTECTED] Subject: Setting up a BIND DNS server behind a PIX525 Guys, What are the advantages of setting up a DNS server on a DMZ network of the firewall? Why can't I set up a statement which allows me to run the DNS server from an "inside" interface? Thanks, Brian _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
