In some mail from matt @
au, sie said:
> Anton Rager wrote this...
> > Hello All,
> > Are there potential or known problems with running a DNS server on a
> > firewall?? [FWTK or Firewall-1 to be more specific]. I have read
> > about many evil things with NIS/NIS+, but have not found any DNS
> > based comprimises. I need to maintain my own Internet domain and
> > alias DNS tables, but will not have any internal names available to
> > the firewall DNS system. Should I install a seperate system with
> > the Internet DNS Master and cache DNS on the firewall, or just use
> > my firewall for Internet master??
> if you have heard any evil things about NIS+ i'd like to hear it. NIS+
> is far removed from NIS, and last time i checked it was more rock
> solid than either NIS or DNS, far more secure... so secure in fact
> that if you misconfigure it you cant get your data back!! :)
Setup NIS+ with a slave server then try to change your NIS+ passwords
without disabling NIS+ security.
The documents for Sun which describe changing the NIS+ password in an
environment where there are slave servers includes commands which totally
disable NIS+ security.
Now, what were you saying about NIS+ being more secure ? :-) :-(
If you don't run with one of these, maybe you should try it. And for fun,
try shutting down the slave "quietly" (unplug it from the network) and see
what happens. Or even stick it on the other end of a 64k connection.
But, from a firewall perspective, I wouldn't be using standard NIS+. The
keys used in the public key cryptography are relatively short.
p.s. In a project I've been involved with, NIS+ has become another 4-letter
word. It's somewhat better than NIS but it is still far from being
ready for serious use in a commercial environment where you have a
serious amount of usage - to start off with, we had to populate 3 NIS+
tables with almost 6000 entries. You don't want to know how long that