Great Circle Associates Firewalls
(September 1994) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: DNS on BAstion host
From: harker @ harker . com (Robert Harker)
Date: Wed, 14 Sep 94 15:08:45 PDT
To: firewalls @ GreatCircle . COM, krampwd @ snyflcc . fingerlakes . edu 
Should your firewall be the Primary DNS server?  Depends on your DNS
configuration

If you run a traditional DNS domain were you make all your internal DNS
information available to the Internet, then the bastion host should
never be the primary DNS server.  If someone broke into your bastion
host and it was the Primary DNS server, they would be able to change
your DNS data and it would be replicated on all of your DNS servers.
In this configuration the primary DNS server should always be an
internal protected host.

Also note, the primary DNS server does not have to be a listed DNS
server for your domain in the root DNS servers.  The NIC could simply
advertise your bastion DNS server and your external (service provider's)
DNS server through the root name servers.  After the SOA record on your
primary DNS server would need to advertise the primary DNS server as
well as any other internal DNS servers.  This avoids problems with
external hosts timing out trying to connect to your internal DNS
servers before trying the bastion and external DNS servers.  There are
two drawbacks to this, first some diagnostic tools like "dig" will
complain about the configuration, second the external DNS server will
have to copy its database from a peer secondary (the bastion DNS
server) rather than the primary.

If you are running a split DNS domain in which you have a private
internal DNS domain that does not advertise data to the Internet (or do
not run DNS interally) and a second external DNS domain (server) which
advertises a minimal amount of information to the Internet (host
information for the hosts on the DMZ network and a wildcard MX record
for the domain) then the bastion host can (should) be the primary DNS
server for this external domain.  You should watch the data on the
external DNS server, but it is not as big an internal security concern
because its DNS information is not used by the internal domain. 
(note: both of the domains are the same name, they simply have different
information)

***Commercial Plug***
I explain how to configure this as well as how to set-up and maintain DNS in
my "Advanced Sendmail and Electronic Mail Domains" class.  For information
about this class or my "Sendmail Made Simple" class please send mail to
info @
 harker .
 com or call (408) 295-6239
***End Commercial Plug***

I hope this help 
Thanks in advance
RLH

Robert Harker				sendmail and TCP/IP Network Training
Harker Systems				Network and Sysadmin Consulting
harker @
 harker .
 com			1180 Hester Ave
netcom!harker!harker			San Jose, CA 95126
uunet!harker!harker			408-295-9432
Indexed By Date Previous: Re: Document listing MOSAIC vulnerabilities
From: Ken Hornstein <kenh @ entropic . com>
Next: Re: Firewall-1
From: Craig . Bishop @ BarwonWater . Vic . Gov . Au
Indexed By Thread Previous: DNS on BAstion host
From: "William D. Kramp" <krampwd @ snyflcc . fingerlakes . edu>
Next: Document listing MOSAIC vulnerabilities
From: "Andrew T. Rodnite" <rodnite @ holonet . net>
Google
 
Search Internet Search www.greatcircle.com