On Fri, 2007-04-13 at 23:18 +0200, Matt Miller wrote:
I'm revisiting this issue from a few weeks ago:
I wrote:
I'm configuring a three-homed firewall ... the recommendation is to offer intranet clients DNS and NTP from the firewall itself. ... I feel more comfortable proxying this traffic instead of running the services on the firewall
I've changed my setup, and now I'm following the recommendation of the tutorial. I'm running bind on the firewall (instead of PlugProxy'ing this traffic), and this is working for my intranet clients. I'll probably also set up an NTP server on the firewall, and point my intranet clients at that. I'm happy with this approach for servicing my local intranet.
But, what about Internet clients that need to query my DNS servers that are authoritative for my own domain? I'm thinking that my authoritative servers need to be distinct machines that reside in my DMZ. I don't feel comfortable putting all my DNS zone files on the firewall, and running my site's authoritative name server on there. I really think that the DMZ is the right place for this. Also, I want to run both a master name server and a slave name server, but I don't have a spot in my network topology for two firewalls. So, it seems that I'll be forced to put my master and slave name servers on separate machines from the firewall.
The tutorial explains how to set up a DMZ web server, so presumably setting up DMZ name servers would be similar. However, in your previous post you wrote:
I would not recommend putting authoritive DNS information on the firewall either. We usually do this by installing a separate DNS server in the DMZ, and then have the bind on the firewall be a secondary nameserver. (which gets notified when the zone contents change on the DNS server) -- Bazsi