[zorp] Proxy for DNS and NTP
Balazs Scheidler
bazsi at balabit.hu
Sun Apr 15 12:05:33 CEST 2007
On Fri, 2007-04-13 at 23:18 +0200, Matt Miller wrote:
> I'm revisiting this issue from a few weeks ago:
>
> I wrote:
> > I'm configuring a three-homed firewall ... the recommendation is to
> > offer intranet clients DNS and NTP from the firewall itself. ... I
> > feel more comfortable proxying this traffic instead of running the
> > services on the firewall
>
> I've changed my setup, and now I'm following the recommendation of the
> tutorial. I'm running bind on the firewall (instead of PlugProxy'ing
> this traffic), and this is working for my intranet clients. I'll
> probably also set up an NTP server on the firewall, and point my
> intranet clients at that. I'm happy with this approach for servicing my
> local intranet.
>
> But, what about Internet clients that need to query my DNS servers that
> are authoritative for my own domain? I'm thinking that my
> authoritative servers need to be distinct machines that reside in my
> DMZ. I don't feel comfortable putting all my DNS zone files on the
> firewall, and running my site's authoritative name server on there. I
> really think that the DMZ is the right place for this. Also, I want to
> run both a master name server and a slave name server, but I don't have
> a spot in my network topology for two firewalls. So, it seems that
> I'll be forced to put my master and slave name servers on separate
> machines from the firewall.
>
> The tutorial explains how to set up a DMZ web server, so presumably
> setting up DMZ name servers would be similar. However, in your previous
> post you wrote:
I would not recommend putting authoritive DNS information on the
firewall either. We usually do this by installing a separate DNS server
in the DMZ, and then have the bind on the firewall be a secondary
nameserver. (which gets notified when the zone contents change on the
DNS server)
--
Bazsi
More information about the zorp
mailing list