Re: Firewalls - Reviewed

From: Leythos (void_at_nowhere.lan)
Date: 06/16/05 

Date: Thu, 16 Jun 2005 12:00:06 GMT

In article <1118853724.975022.111700@g14g2000cwa.googlegroups.com>,
jpbaca02@comcast.net says...
> I realize that smtp (MX) and NS (DNS) have nothing to do with the
> firewall, but for ease of adminstration and security, it would be
> extremely handy to have a box that provides all these features on one
> box.
> I also understand DNS and it's functionality, however, it's not true
> that it runs specifically on the inside to forward outside.

First, you need to understand firewalls - you can have a DNS server
inside your network to resolve your names to their private addresses,
this lets your internal computers resolve to the private addresses of
your servers/services.

If you are also hosting your own DNS, if your ISP/Provider lets you do
that, you need to setup a DNS server in a DMZ network, not on the public
side - in this case you would forward DNS traffic ONLY to the internal
DNS server residing in the DMZ. This means that only DNS traffic makes
it from outside the network to the DMZ - meaning you have a lot less
exposure.

> I need a
> NS on the outside because I am "primary" for my domain, therefore the
> need to have a secured DNS server on the outside of my firewall, or
> part of the firewall.

If you purchased a domain name, you might find it easier to allow the
provider to host your public DNS, it's one less machine you have to
purchase, and it's likely to be more reliable than running your own DNS
server unless you have a real data center.

> Same goes for my SMTP traffic. I host my MX record, therefore need a
> secure SMTP server on the outside.

Again, you need a DNS service exposed through the firewall and located
in your DMZ, do not put the DNS server outside the firewall. I would
suggest that you host your DNS at your ISP or domain name providers
location. We have about 80 domain names, not one of them is hosted on
our DNS Servers, we have them configured with our domain name providers. 

-- 
-- 
spam999free@rrohio.com
remove 999 in order to email me

Relevant Pages

  • Re: DNS Server set to forwarder randomly going out to root servers
    ... We implemented the EDNS0 change to no avail. ... The firewall is actually acting as a caching DNS server. ...
    (microsoft.public.windows.server.dns)
  • Re: Can Not Ping By Name
    ... >>> Make sure there's no firewall packaged with the VPN client. ... >>DNS server is the same physical server as the Exchange, ... > Network problem solving - general advice: ...
    (microsoft.public.windowsxp.network_web)
  • Re: Using Microsoft DNS for Public domains
    ... addresses that forward to my two nameserver DNS Servers on my home machine, ... the public IP addresses pointing to the internal DMZ IP addresses. ... >> name I registered two nameservers at my registrar. ... >> the internal DMZ IP of the primary DNS server. ...
    (microsoft.public.windows.server.dns)
  • Re: dns server behind a firewall?
    ... > cause I wanted to be sure about the server IP switching. ... Your DNS will be down during switchover ... No. Doublecheck that the DNS server allows queries on all ... >>> firewall and want me to do the job, thats why I m posting again. ...
    (microsoft.public.windows.server.dns)
  • Re: Internet access problem caused by DNS failure
    ... i.e. before the Firewall part. ... Nothing stands out for the dns server. ... Ethernet adapter Wireless Network Connection: ...
    (microsoft.public.windows.server.sbs)