On Wed, Jan 18, 2012 at 10:05 AM, Nick Hilliard <n...@foobar.org> wrote: > On 18/01/2012 14:18, Leigh Porter wrote: >> Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long >> as it is not *my* firewalls I really don't care what they do ;-) > > As you're posting here, it looks like it's become your problem. :-D > > Seriously, though, there is no value to maintaining state for DNS queries. > You would be much better off to put your firewall production interfaces on > a routed port on a hardware router so that you can implement ASIC packet > filtering. This will operate at wire speed without dumping you into the > colloquial poo every time someone decides to take out your critical > infrastructure.
I get the feeling that leigh had implemented this against his own advice for a client... that he's onboard with 'putting a firewall in front of a dns server is dumb' meme...