I'm setting up a home firewall, intended to (try to) protect "client"
machines (mostly family members' MS-Windoze laptops) from misc internet
threats. I have a couple of questions about how best to handle DNS
on/through the firewall:
The firewall runs 4.2-stable, and has 2 network interfaces, one for the
inside (protected) network, and one to talk to the Big Bad Internet.
More precisely, the outside interface goes to an ISP-supplied ADSL
modem/router box, which gives out addresses & DNS-server-addresses
via DHCP. The firewall uses pf (with "scrub in all") to NAT traffic
between the interfaces; its ruleset blocks everything except for
connections initiated by inside machines.
My plan is to have the firewall run its own dhcpd on its inside interface,
giving out private client addresses in the 192.168.0.0/16 address range.
(This way clients can be kept at the same MS-Windoze "configure everything
automagically" DHCP settings they would use elsewhere.)
The purpose of this message is to ask for advice on how to handle
DNS on the firewall. I can see two basic options:
(a) When the firewall boots, after the outside network is configured
(via /etc/rc running dhclient) a shell/grep/perl script on the
firewall copies the DNS server addresses from /etc/resolv.conf
into /etc/dhcpd.conf, and only then does the firewall start its
dhcpd on the inside interface. dhcpd will then hand out the
(ISP-provided) DNS server addresses to clients at the same time
it gives them their local addresses, causing the clients to
directly query my ISP's DNS servers.
(b) The firewall's dhcpd is configured to tell clients that the
firewall itself is a DNS server. The firewall also runs a DNS
proxy (eg /usr/ports/net/totd or /usr/ports/www/squid,transparent).
Clients then query the firewall as a DNS server, and the firewall
(i.e. OpenBSD's resolver(3) routines in libc) queries my ISP's
DNS servers as needed, and (via the DNS proxy) passes the results
back to clients.
(b) looks a bit harder to set up on the firewall (I need to configure
the DNS proxy whereas (a) just has to allow DNS traffic in /etc/pf.conf).
On the other hand, (b) also looks a bit more secure, because only
OpenBSD's resolver(3) routines are exposed to the outside world, not
the clients' resolvers. For the same reason, I suspect (b) might also
be a little less vulnerable to DNS cache-poisoning attacks.
Questions:
* Are there other (significant) advantages/disadvantages of (a) vs (b)
that I haven't thought of?
* Are there other design options that I haven't thought of?
* What do other people do about DNS in firewalled home networks?
thanks for any advice, wisdom, tips-n-tricks, etc,
--
-- Jonathan Thornburg (remove -animal to reply) <[EMAIL PROTECTED]>
School of Mathematics, U of Southampton, England
"Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral."
-- quote by Freire / poster by Oxfam
