[zorp] Proxy for DNS and NTP

Matt Miller zorp at mattmillersf.fastmail.fm
Fri Mar 23 21:49:47 CET 2007

I'm configuring a three-homed firewall, and I'm reading the official
tutorial.  From thatl tutorial it seems that the recommendation is to
run offer intra-net clients DNS and NTP  from the firewall itself.
Installing all these services on the firewall seems to go against the
conventional wisdom that internet-connected machines should offer as few
services as possible. So, I'm wondering what the reasoning is here.

I've tried using PlugProxy for DNS and NTP, and that does work.  I feel
more comfortable proxying this traffic instead of running the services
on the firewall, but it seems that the proxied DNS is causing a
considerable slow-down for web surfing from my intra-net.

Is it to be expected that PlugProxy for DNS is a performance problem? If
so, is this a problem with proxied UDP in general?  Is this performance
problem the main reason that the tutorial recommends running DNS and NTP
on the firewall?

Thanks for any recommendations and discussion here.

More information about the zorp mailing list