I'm configuring a three-homed firewall, and I'm reading the official tutorial. From thatl tutorial it seems that the recommendation is to run offer intra-net clients DNS and NTP from the firewall itself. Installing all these services on the firewall seems to go against the conventional wisdom that internet-connected machines should offer as few services as possible. So, I'm wondering what the reasoning is here. I've tried using PlugProxy for DNS and NTP, and that does work. I feel more comfortable proxying this traffic instead of running the services on the firewall, but it seems that the proxied DNS is causing a considerable slow-down for web surfing from my intra-net. Is it to be expected that PlugProxy for DNS is a performance problem? If so, is this a problem with proxied UDP in general? Is this performance problem the main reason that the tutorial recommends running DNS and NTP on the firewall? Thanks for any recommendations and discussion here.
On Fri, 2007-03-23 at 21:49 +0100, Matt Miller wrote:
I'm configuring a three-homed firewall, and I'm reading the official tutorial. From thatl tutorial it seems that the recommendation is to run offer intra-net clients DNS and NTP from the firewall itself. Installing all these services on the firewall seems to go against the conventional wisdom that internet-connected machines should offer as few services as possible. So, I'm wondering what the reasoning is here.
I've tried using PlugProxy for DNS and NTP, and that does work. I feel more comfortable proxying this traffic instead of running the services on the firewall, but it seems that the proxied DNS is causing a considerable slow-down for web surfing from my intra-net.
Both the solutions are working well. But let's think about security policy a bit. If you are using PlugProxy instead of Bind that means between the client and target zones all the protocols can get through which are using UDP. So you have to make a trade off between trusting a chrooted and restriced (running without capabilities) Bind and the plug. Slow-down DSN: in my opinion it must be miss-configuration.
Is it to be expected that PlugProxy for DNS is a performance problem? If so, is this a problem with proxied UDP in general?
It depends on the amount of udp traffic.
Is this performance problem the main reason that the tutorial recommends running DNS and NTP on the firewall?
No, we recommend using ntp and bind on a firewall because of the previously described reason. Regards, Péter HÖLTZL -- BalaBit IT Bizt. Kft | Tel: +36 1 371-0540 | GnuPG Fingerprint: holtzl.peter@balabit.hu | Mobil: +36 20 366-9667 | 2831 E951 B9EE 63BB F0F4 http://www.balabit.hu/ | Fax: +36 1 208-0875 | 2F4A 1EA4 4B12 7638 29C0
I'm revisiting this issue from a few weeks ago: I wrote:
I'm configuring a three-homed firewall ... the recommendation is to offer intranet clients DNS and NTP from the firewall itself. ... I feel more comfortable proxying this traffic instead of running the services on the firewall
I've changed my setup, and now I'm following the recommendation of the tutorial. I'm running bind on the firewall (instead of PlugProxy'ing this traffic), and this is working for my intranet clients. I'll probably also set up an NTP server on the firewall, and point my intranet clients at that. I'm happy with this approach for servicing my local intranet. But, what about Internet clients that need to query my DNS servers that are authoritative for my own domain? I'm thinking that my authoritative servers need to be distinct machines that reside in my DMZ. I don't feel comfortable putting all my DNS zone files on the firewall, and running my site's authoritative name server on there. I really think that the DMZ is the right place for this. Also, I want to run both a master name server and a slave name server, but I don't have a spot in my network topology for two firewalls. So, it seems that I'll be forced to put my master and slave name servers on separate machines from the firewall. The tutorial explains how to set up a DMZ web server, so presumably setting up DMZ name servers would be similar. However, in your previous post you wrote:
If you are using PlugProxy instead of Bind that means between the client and target zones all the protocols can get through which are using UDP. So you have to make a trade off between trusting a chrooted and restricted (running without capabilities) Bind and the plug.
When you say "all the protocols can get through which are using UDP" then I get nervous. Are you saying that using PlugProxy for UDP is somehow more dangerous than using PlugProxy for TCP? I realize that PlugProxy does not know anything about the application level, but is there something else inherently dangerous about using PlugProxy for UDP?
If you are using PlugProxy instead of Bind that means between the client and target zones all the protocols can get through which are using UDP
When you say "all the protocols can get through which are using UDP" then I get nervous. Are you saying that using PlugProxy for UDP is somehow more dangerous than using PlugProxy for TCP?
I think I now understand what you meant. When you said "protocol" you were probably thinking at the application layer, but when I read "protocol" I was thinking at the network or transport layers. Sorry, I'm still used to thinking in terms of packet filtering only. Okay, so what you said makes sense, but that still doesn't tell me where I should put my master and slave name servers that will be authoritative for my own domain. I guess I'll go back to my _DNS and Bind_ book, and see what I can come up with...
On Fri, 2007-04-13 at 23:18 +0200, Matt Miller wrote:
I'm revisiting this issue from a few weeks ago:
I wrote:
I'm configuring a three-homed firewall ... the recommendation is to offer intranet clients DNS and NTP from the firewall itself. ... I feel more comfortable proxying this traffic instead of running the services on the firewall
I've changed my setup, and now I'm following the recommendation of the tutorial. I'm running bind on the firewall (instead of PlugProxy'ing this traffic), and this is working for my intranet clients. I'll probably also set up an NTP server on the firewall, and point my intranet clients at that. I'm happy with this approach for servicing my local intranet.
But, what about Internet clients that need to query my DNS servers that are authoritative for my own domain? I'm thinking that my authoritative servers need to be distinct machines that reside in my DMZ. I don't feel comfortable putting all my DNS zone files on the firewall, and running my site's authoritative name server on there. I really think that the DMZ is the right place for this. Also, I want to run both a master name server and a slave name server, but I don't have a spot in my network topology for two firewalls. So, it seems that I'll be forced to put my master and slave name servers on separate machines from the firewall.
The tutorial explains how to set up a DMZ web server, so presumably setting up DMZ name servers would be similar. However, in your previous post you wrote:
I would not recommend putting authoritive DNS information on the firewall either. We usually do this by installing a separate DNS server in the DMZ, and then have the bind on the firewall be a secondary nameserver. (which gets notified when the zone contents change on the DNS server) -- Bazsi
participants (3)
-
Balazs Scheidler
-
HÖLTZL Péter
-
Matt Miller