[zorp] Proxy for DNS and NTP

Matt Miller zorp at mattmillersf.fastmail.fm
Fri Apr 13 23:18:16 CEST 2007

I'm revisiting this issue from a few weeks ago:

I wrote:
> I'm configuring a three-homed firewall ... the recommendation is to
> offer intranet clients DNS and NTP from the firewall itself. ... I
> feel more comfortable proxying this traffic instead of running the
> services on the firewall

I've changed my setup, and now I'm following the recommendation of the
tutorial.  I'm running bind on the firewall (instead of PlugProxy'ing
this traffic), and this is working for my intranet clients.  I'll
probably also set up an NTP server on the firewall, and point my
intranet clients at that.  I'm happy with this approach for servicing my
local intranet.

But, what about Internet clients that need to query my DNS servers that
are authoritative for my own domain?  I'm thinking that my
authoritative servers need to be distinct machines that reside in my
DMZ.  I don't feel comfortable putting all my DNS zone files on the
firewall, and running my site's authoritative name server on there.  I
really think that the DMZ is the right place for this.  Also, I want to
run both a master name server and a slave name server, but I don't have
a spot in my network topology for two firewalls.  So, it seems that
I'll be forced to put my master and slave name servers on separate
machines from the firewall.

The tutorial explains how to set up a DMZ web server, so presumably
setting up DMZ name servers would be similar.  However, in your previous
post you wrote:

> If you are using PlugProxy instead of Bind that means between the
> client and target zones all the protocols can get through which are
> using UDP. So you have to make a trade off between trusting a chrooted
> and restricted (running without capabilities) Bind and the plug.

When you say "all the protocols can get through which are using UDP"
then I get nervous.  Are you saying that using PlugProxy for UDP is
somehow more dangerous than using PlugProxy for TCP?  I realize that
PlugProxy does not know anything about the application level, but is
there something else inherently dangerous about using PlugProxy for UDP?

More information about the zorp mailing list