>
>If you're properly firewalled and your internal security is as good as
>your firewalls, then I can't see why it would be useful...you're hiding
>hostnames that are never going to be of use to anyone breaking into your
>system from beyond the firewall.
>
>darren
This must be in the FAQ, I know I've answered it on this list at least
three times this year already. Although some people get warm fuzzies
from dual-homed dns, it's a false security. It really doesn't buy you
anything. Nevertheless, it can be a big win for a company with a firewall?
Is Patrick still suffering from the seventies? No, because there are
other considerations beside security. There are also operational.
Consider mail delivery. Your machine at foo.com want's to send mail to
me at amdahl.com. Your machine asks who's authoritative for amdahl.com,
and is returned the news that it's one of four machines (we have nice
dns neighbors:) Suppose you're machine decides it's going to talk to
our gateway machine, and fetches the A records for our machine. It's
going to find out that our machine has two interfaces, and two addresses,
and will choose one of them. If it chooses the one that faces inside our
firewall, you'll have to wait for a udp timeout to go any farther. You
can't talk to things inside our firewall. Some software on some machines
is braindamaged enough to never try the right one, so mail to us becomes
undeliverable from you. There are analogous problems with any services
delivered by machines that straddle a firewall, such as smtp, http, etc...
Application firewalls can have the same problem from within the company!
If someone inside the company tries to connect to www.amdahl.com. it
can hang in just the same way! The fix is to give a different set of
answers to machines on each side of the firewall for machines that
straddle the firewall. This is the REAL value of dual-homed dns.
Of course there are other things you can do with a dual-homed dns, to
enforce policies. You might have a policy that you don't advertise internal
names outside of your firewall. Dual-homed dns will certainly support
that, but it doesn't imply it. It's just a choice you can make.
I believe that you shouldn't do it, that any illusion of security you get
from it is just that, an illusion, and that it causes problems, as well
as complacency, but some people like it. (Of course you've noticed that
I don't have an opinion on this one!)
Good night:)
Patrick
_______________________________________________________________________
/ These opinions are mine, and not Amdahl's (except by coincidence;). \
| (\ |
| Patrick J. Horgan Amdahl Corporation \\ Have |
| patrick @
amdahl .
com 1250 East Arques Avenue \\ _ Sword |
| Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will |
| FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel |
\___________________________O16-2294________________________\)__________/
|
|
