I'm revisiting this issue from a few weeks ago: I wrote:
I'm configuring a three-homed firewall ... the recommendation is to offer intranet clients DNS and NTP from the firewall itself. ... I feel more comfortable proxying this traffic instead of running the services on the firewall
I've changed my setup, and now I'm following the recommendation of the tutorial. I'm running bind on the firewall (instead of PlugProxy'ing this traffic), and this is working for my intranet clients. I'll probably also set up an NTP server on the firewall, and point my intranet clients at that. I'm happy with this approach for servicing my local intranet. But, what about Internet clients that need to query my DNS servers that are authoritative for my own domain? I'm thinking that my authoritative servers need to be distinct machines that reside in my DMZ. I don't feel comfortable putting all my DNS zone files on the firewall, and running my site's authoritative name server on there. I really think that the DMZ is the right place for this. Also, I want to run both a master name server and a slave name server, but I don't have a spot in my network topology for two firewalls. So, it seems that I'll be forced to put my master and slave name servers on separate machines from the firewall. The tutorial explains how to set up a DMZ web server, so presumably setting up DMZ name servers would be similar. However, in your previous post you wrote:
If you are using PlugProxy instead of Bind that means between the client and target zones all the protocols can get through which are using UDP. So you have to make a trade off between trusting a chrooted and restricted (running without capabilities) Bind and the plug.
When you say "all the protocols can get through which are using UDP" then I get nervous. Are you saying that using PlugProxy for UDP is somehow more dangerous than using PlugProxy for TCP? I realize that PlugProxy does not know anything about the application level, but is there something else inherently dangerous about using PlugProxy for UDP?