On Fri, Oct 13, 2000 at 07:08:55AM -0400, Goodwin, Russell wrote:
:
: I would say that if the External DNS will be on the NT platform then you
: should...
:
: 1) Certainly not put it in a domain.
: 2) Disable all services possible, Server, Workstation, NetBIOS helper, LM
: Security Support Provider, Computer Browser, etc.
: 3) Unbind the WINS client from the Adaptor.
Agreed.. Here's my cookbook for safe DNS usage..
Two DNS servers, one in a DMZ, (at least) one on your internal LAN.
The server in the DMZ will answer all external queries for zones it is
authoritative for, assuming you provide your own DNS services. This DNS
server NEVER, EVER, DON'T EVEN THINK ABOUT IT IN A MILLION YEARS queries
the internal DNS servers. The only records in the zone files are ones that
are *required* to do business. This includes things like:
A records for web/ftp/mail/etc. servers that need to be accessed from outside
MX records
That's it.
The internal DNS server will also contain an authoritative zone for
"yourcompany.com". The internal zone contains all of your DNS records.
It forwards queries it does not have cached to the DNS server in the DMZ.
The internal DNS server NEVER has any direct contact wiht the outside
world.
Yes, you have to maintain two sets of zone files, but the external DNS
zone file is minimal, and probably not more than 5-10 records. The
inconvenience is worth it.
--
Jason Costomiris <>< | Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
