Re: DNS - Firewall

From: Eirik Seim (eirik_at_mi.uib.no)
Date: 07/14/03

Next message: Beoweolf: "Re: Cisco Pix cert vs. Checkpoint cert in United States"
Previous message: Sam Salt: "Zone Alarm- No Programs showing"
In reply to: Ida Young: "Re: DNS - Firewall"
Next in thread: Ida Young: "Re: DNS - Firewall"
Reply: Ida Young: "Re: DNS - Firewall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 14 Jul 2003 21:05:02 GMT

On Mon, 14 Jul 2003 18:36:42 GMT, Ida Young wrote:
> "mike" <m.mike@ny.com> wrote in message
> news:77a98267.0307140239.250484ed@posting.google.com...
> > How could I configure the DNS (resolv.conf) in my Firewall? To the
> > intern DNS in my Lan or extern to my provider?
> > What's the best and the right way concerning the security and
> > performance?
>
> The firewall should use the internal DNS server if there is so that the
> firewall can resolv the internal host name and address as well as the
> external hostname and address.
>
> With a firewall, you had better have an internal DNS server and an external
> DNS server. The internal DNS server resolves the hostnames and IP addresses
> for your internal machines and firewall. The external DNS server only
> resolves your public services, and serves for users from Internet.

While this makes perfectly sense, a relevant question might be _why_ the
firewall needs to look up hostnames at all.

In essence, resolving hostnames mean relying on external (even if they are
on the inside of the firewall) information, which in my not so humble
opinion is a bad thing on a firewall. Someone might have good reasons for
this, but I fear most dont.

Followup-To set to comp.security.firewalls, please ignore if your answer
has something to do with AIX.

- Eirik

-- 
New and exciting signature!

Next message: Beoweolf: "Re: Cisco Pix cert vs. Checkpoint cert in United States"
Previous message: Sam Salt: "Zone Alarm- No Programs showing"
In reply to: Ida Young: "Re: DNS - Firewall"
Next in thread: Ida Young: "Re: DNS - Firewall"
Reply: Ida Young: "Re: DNS - Firewall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: DNS - Firewall
... > With a firewall, you had better have an internal DNS server and an external ... The internal DNS server resolves the hostnames and IP addresses ... >>intern DNS in my Lan or extern to my provider? ...
(comp.unix.aix)
Re: DNS - Firewall
... > With a firewall, you had better have an internal DNS server and an external ... The internal DNS server resolves the hostnames and IP addresses ... >>intern DNS in my Lan or extern to my provider? ...
(comp.security.firewalls)
Re: DNS Weiterleitung "NUR" auf Firewall zulassen
... you are using forwarders on your internal DNS ... DNS servers are bypassing your firewall. ... so that queries from the internal DNS server appear to ... und die Fragen zwischen Ihrem internen DNS Bediener und den ...
(microsoft.public.windows.server.dns)
Re: DNS - Firewall
... >> intern DNS in my Lan or extern to my provider? ... > The firewall should use the internal DNS server if there is so that the ... you had better have an internal DNS server and an external ...
(comp.unix.aix)
Re: DNS timeouts?
... > I normally just have my internal DNS server forward directly to the ISP. ... This is problematic if the ISA machine is a DOMAIN ... NIC it will override the one from the ISP. ...
(microsoft.public.win2000.dns)