I just recently purchased a copy of Bellovin and Cheswick's book. I
also saw a summarization in the 3rd chapter about the way Brent Chapman
sets up a DNS on the firewall to allow queries to work in both directions.
Now, suppose I replace the DNS on the firewall with a cache-only DNS that
has the initial cache file set to the Internet roots, but have the other
files set up in the same fashion. The Internet DNS data would then be
stored on the network provider's DNS, so all I would need to do is run a
cache-only server. I don't know if this is a wise move or not, but would
like to consider it as a valid configuration practice.
Also, I am considering using a dual-homed host in the design of the
basic firewall, and would also like to use a packet filter to front the
exposed network interface. (Whether or not this has anything to do with
DNS leakage of internal hosts information is another sub-issue.)
Does this open the firewall to more danger?
Thanks in advance,
Thomas A. Endo (tendo @