I'm setting up a home firewall, intended to (try to) protect "client" machines (mostly family members' MS-Windoze laptops) from misc internet threats. I have a couple of questions about how best to handle DNS on/through the firewall:
The firewall runs 4.2-stable, and has 2 network interfaces, one for the inside (protected) network, and one to talk to the Big Bad Internet. More precisely, the outside interface goes to an ISP-supplied ADSL modem/router box, which gives out addresses & DNS-server-addresses via DHCP. The firewall uses pf (with "scrub in all") to NAT traffic between the interfaces; its ruleset blocks everything except for connections initiated by inside machines. My plan is to have the firewall run its own dhcpd on its inside interface, giving out private client addresses in the 192.168.0.0/16 address range. (This way clients can be kept at the same MS-Windoze "configure everything automagically" DHCP settings they would use elsewhere.) The purpose of this message is to ask for advice on how to handle DNS on the firewall. I can see two basic options: (a) When the firewall boots, after the outside network is configured (via /etc/rc running dhclient) a shell/grep/perl script on the firewall copies the DNS server addresses from /etc/resolv.conf into /etc/dhcpd.conf, and only then does the firewall start its dhcpd on the inside interface. dhcpd will then hand out the (ISP-provided) DNS server addresses to clients at the same time it gives them their local addresses, causing the clients to directly query my ISP's DNS servers. (b) The firewall's dhcpd is configured to tell clients that the firewall itself is a DNS server. The firewall also runs a DNS proxy (eg /usr/ports/net/totd or /usr/ports/www/squid,transparent). Clients then query the firewall as a DNS server, and the firewall (i.e. OpenBSD's resolver(3) routines in libc) queries my ISP's DNS servers as needed, and (via the DNS proxy) passes the results back to clients. (b) looks a bit harder to set up on the firewall (I need to configure the DNS proxy whereas (a) just has to allow DNS traffic in /etc/pf.conf). On the other hand, (b) also looks a bit more secure, because only OpenBSD's resolver(3) routines are exposed to the outside world, not the clients' resolvers. For the same reason, I suspect (b) might also be a little less vulnerable to DNS cache-poisoning attacks. Questions: * Are there other (significant) advantages/disadvantages of (a) vs (b) that I haven't thought of? * Are there other design options that I haven't thought of? * What do other people do about DNS in firewalled home networks? thanks for any advice, wisdom, tips-n-tricks, etc, -- -- Jonathan Thornburg (remove -animal to reply) <[EMAIL PROTECTED]> School of Mathematics, U of Southampton, England "Washing one's hands of the conflict between the powerful and the powerless means to side with the powerful, not to be neutral." -- quote by Freire / poster by Oxfam