[zorp] Proxy for DNS and NTP
holtzl.peter at balabit.hu
Mon Mar 26 08:23:55 CEST 2007
On Fri, 2007-03-23 at 21:49 +0100, Matt Miller wrote:
> I'm configuring a three-homed firewall, and I'm reading the official
> tutorial. From thatl tutorial it seems that the recommendation is to
> run offer intra-net clients DNS and NTP from the firewall itself.
> Installing all these services on the firewall seems to go against the
> conventional wisdom that internet-connected machines should offer as few
> services as possible. So, I'm wondering what the reasoning is here.
> I've tried using PlugProxy for DNS and NTP, and that does work. I feel
> more comfortable proxying this traffic instead of running the services
> on the firewall, but it seems that the proxied DNS is causing a
> considerable slow-down for web surfing from my intra-net.
Both the solutions are working well. But let's think about security
policy a bit. If you are using PlugProxy instead of Bind that means
between the client and target zones all the protocols can get through
which are using UDP. So you have to make a trade off between trusting a
chrooted and restriced (running without capabilities) Bind and the plug.
Slow-down DSN: in my opinion it must be miss-configuration.
> Is it to be expected that PlugProxy for DNS is a performance problem? If
> so, is this a problem with proxied UDP in general?
It depends on the amount of udp traffic.
> Is this performance
> problem the main reason that the tutorial recommends running DNS and NTP
> on the firewall?
No, we recommend using ntp and bind on a firewall because of the
previously described reason.
BalaBit IT Bizt. Kft | Tel: +36 1 371-0540 | GnuPG Fingerprint:
holtzl.peter at balabit.hu | Mobil: +36 20 366-9667 | 2831 E951 B9EE 63BB F0F4
http://www.balabit.hu/ | Fax: +36 1 208-0875 | 2F4A 1EA4 4B12 7638 29C0
More information about the zorp