In article <v02120b05abb8824b50b9 @
[158 .
152 .
139 .
213]> you write:
>
>The trick is to limit your exposure. What I recommend is setting up a DNS
>server on a bastion host (outside your filtering system) and another server
>on an internal machine (inside your filtering system). Then, arrange
>things so that the only UDP that can pass through your filtering system is
>DNS between these two servers. Then, set up the internal server so that it
>forwards to the bastion server all queries it can't answer from its own
>knowledge or cache (via a "forwarders" line in the /etc/resolv.conf file),
>instead of trying to contact DNS servers around the world to work its way
>through the DNS tree to find the answers itself. Let the bastion host DNS
>server (which is outside your filtering) be the one to query all the random
>servers on the Internet.
Just wanted to point out that there is no inherent reason why you can't
do this all on one machine with two network interfaces. You could
have two separate DNS servers running, one listening/responding to
the external Internet, and the other one giving info to internal
machines. Of course, you'd have to so some kernel hacking to get
two processes listening to the same port on different interfaces.
--
Phil Trubey |
NetPartners | Providing Internet products and services.
E-mail: phil @
netpart .
com | Home Page: http://www.netpart.com/
Phone: 714-759-1641 |
Follow-Ups:
-
Re: UDP
From: Darren Reed <avalon @
coombs .
anu .
edu .
au>
References:
-
Re: UDP
From: Brent @
GreatCircle .
COM (Brent Chapman)
|
|
