Re: dns on firewall
From: Marcus Lauer (reply@via.newsgroup.com)Date: 02/27/02
- Next message: Adam Price: "Re: Possible PASV port theft"
- Previous message: Ashok Aiyar: "help with analysis of firewall log"
- In reply to: Bruno Wolff III: "Re: dns on firewall"
- Next in thread: Gideon Lenkey: "Re: dns on firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Marcus Lauer <reply@via.newsgroup.com> Date: Tue, 26 Feb 2002 20:33:34 -0800
Bruno Wolff III wrote:
> In article <u7m2kp8c0crm2e@corp.supernews.com>, Marcus Lauer wrote:
>>
>> Aw c'mon. Running any server on a firewall is really missing the
>> point. A firewall should be as safe from harm as possible. And really, if
>> a person is running _DNS_ (we're not talking about a web server here) then
>> they
>> should have the resources to do it right. It's not casual users who are
>> interested in running DNS.
>
> First off, cost is an issue. Someone made not have a spare computer to
> use solely as a DNS server in a DMZ. Putting the DNS server on the firewall
> might be better than putting on one of the other computers behind the
> firewall. For example the protected machine(s) might be running windows
> and may not run the DNS software the person wants to use.
>
> Second off, there are good reasons for casual people to run DNS. Running
> your own caching server protects you from poorly configured (e.g. vulnerable
> to cache poisoning) DNS caches run by your provider. It also protects you
> from outages on the DNS server (which while it isn't supposed to happen,
> it seems to happen several times a year at my ISP based on complaints
> I see posted). For people running their own servers, it can be convenient
> to run your own DNS server as well. If your services are all dependent
> on your DSL (or whatever) connection, than having DNS depending on that
> connection working as well, isn't a big deal. Despite what you imply
> above, running a DNS server well is simpler than running a web server
> well. Another issue, is that if you run a local publishing DNS server
> for private addresses, it is nice to have a local cache so that if your
> connection is down your caching server is still accessible.
My point was that your firewall should be as secure as possible, and
that running a server on it is moving in the wrong direction. At best, a
firewall should transparently control access to your network. A server on
the firewall means that there's something there to be cracked. If your
firewall is taken over, not only does the cracker have control of a box which
is not restricted by a firewall (all ports can be opened, no traffic shaping
or rate limiting, etc.), but they have a good place to attack the rest of
your machines from.
Would you run a webserver or a mail server on your firewall? Of
course not. So why DNS? It just doesn't cost that much to pick up an old
486, set up Linux on it, and use that as a server (any type of server!) If
you can't afford that, then you might want to reconsider your computing
situation. Maybe using a full-fledged Linux box as a firewall isn't cost
effective?
As for whether a casual user needs a DNS server, I personally doubt
it, but I suppose it's a matter of opinion. Personally I think the
cost/benefit ratio of most of your suggestions is fairly poor, (you're going
to run a server on your firewall just on the off chance your ISP's DNS
servers go down?) Then there are a few which I don't understand at all. If
your DSL or other network connection is down, why does it matter whether or
not you have a working DNS server? Unless of course you have too many
systems to just use "hosts" files (at which point I wouldn't consider you
"casual"!) If I'm misunderstanding something, though, please explain.
Marcus
- Next message: Adam Price: "Re: Possible PASV port theft"
- Previous message: Ashok Aiyar: "help with analysis of firewall log"
- In reply to: Bruno Wolff III: "Re: dns on firewall"
- Next in thread: Gideon Lenkey: "Re: dns on firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
