[zorp] Proxy for DNS and NTP

Balazs Scheidler bazsi at balabit.hu
Sun Apr 15 12:05:33 CEST 2007

On Fri, 2007-04-13 at 23:18 +0200, Matt Miller wrote:
> I'm revisiting this issue from a few weeks ago:
> I wrote:
> > I'm configuring a three-homed firewall ... the recommendation is to
> > offer intranet clients DNS and NTP from the firewall itself. ... I
> > feel more comfortable proxying this traffic instead of running the
> > services on the firewall
> I've changed my setup, and now I'm following the recommendation of the
> tutorial.  I'm running bind on the firewall (instead of PlugProxy'ing
> this traffic), and this is working for my intranet clients.  I'll
> probably also set up an NTP server on the firewall, and point my
> intranet clients at that.  I'm happy with this approach for servicing my
> local intranet.
> But, what about Internet clients that need to query my DNS servers that
> are authoritative for my own domain?  I'm thinking that my
> authoritative servers need to be distinct machines that reside in my
> DMZ.  I don't feel comfortable putting all my DNS zone files on the
> firewall, and running my site's authoritative name server on there.  I
> really think that the DMZ is the right place for this.  Also, I want to
> run both a master name server and a slave name server, but I don't have
> a spot in my network topology for two firewalls.  So, it seems that
> I'll be forced to put my master and slave name servers on separate
> machines from the firewall.
> The tutorial explains how to set up a DMZ web server, so presumably
> setting up DMZ name servers would be similar.  However, in your previous
> post you wrote:

I would not recommend putting authoritive DNS information on the
firewall either. We usually do this by installing a separate DNS server
in the DMZ, and then have the bind on the firewall be a secondary
nameserver. (which gets notified when the zone contents change on the
DNS server)


More information about the zorp mailing list