On 22 Mar 2002, at 14:38, Brian Guild wrote:
> Guys,
>
> What are the advantages of setting up a DNS server on a DMZ
> network of the firewall? Why can't I set up a statement which
> allows me to run the DNS server from an "inside" interface?
>
> Thanks,
>
> Brian
Others have already addressed the difference between inside and
DMZ.
Another factor you might want to consider, though, is whether you
want to provide the same DNS information to inside users and to the
whole world:
1. You may have machines on your inside network that you only want
internal users to know about.
2. You may be using NAT between your internal network and the
outside, so even servers you *do* want to advertise may be
reachable by a different address depending on where the client
is. (You might choose to use a different zone for internal
addresses -- there are arguments both for and against this.)
Also recall that DNS primarily uses UDP, which is a preferred
vector for DDoS attacks. You might prefer to have your externally-
visible DNS server(s) somewhere else than behind the gateway your
users rely on; many colo providers will host DNS for their
customers....
DG
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
