On Fri, 22 Mar 2002, Brian Guild wrote: > Guys, > > What are the advantages of setting up a DNS server on a DMZ network of the
The advantage of seperating a highly abused service from your internal network. > firewall? Why can't I set up a statement which allows me to run the DNS > server from an "inside" interface? You can- however firewalls protect based on what they block, not on what they allow, so you're negating the value of haivng a firewall. As a general rule of thumb, machines that allow public access belong in either a service network, or a DMZ. Doing anything else is inviting fairly simple compromise of your internal network if the service is running on a general-purpose operating system. Ask yourself how you'd protect the network from an in-band compromise if the service were vulnerable. Historically, BIND 4 and BIND 8 are in the running for most abused *nix attack vectors (top 3 when combined), and we've seen worms exploit them before (making the threat rate higher than if it were just for human-driven attacks.) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
