[zorp] Proxy for DNS and NTP

HÖLTZL Péter holtzl.peter at balabit.hu
Mon Mar 26 08:23:55 CEST 2007

On Fri, 2007-03-23 at 21:49 +0100, Matt Miller wrote:
> I'm configuring a three-homed firewall, and I'm reading the official
> tutorial.  From thatl tutorial it seems that the recommendation is to
> run offer intra-net clients DNS and NTP  from the firewall itself.
> Installing all these services on the firewall seems to go against the
> conventional wisdom that internet-connected machines should offer as few
> services as possible. So, I'm wondering what the reasoning is here.
> I've tried using PlugProxy for DNS and NTP, and that does work.  I feel
> more comfortable proxying this traffic instead of running the services
> on the firewall, but it seems that the proxied DNS is causing a
> considerable slow-down for web surfing from my intra-net.

Both the solutions are working well. But let's think about security
policy a bit. If you are using PlugProxy instead of Bind that means
between the client and target zones all the protocols can get through
which are using UDP. So you have to make a trade off between trusting a
chrooted and restriced (running without capabilities) Bind and the plug.

Slow-down DSN: in my opinion it must be miss-configuration.

> Is it to be expected that PlugProxy for DNS is a performance problem? If
> so, is this a problem with proxied UDP in general?  

It depends on the amount of udp traffic.

> Is this performance
> problem the main reason that the tutorial recommends running DNS and NTP
> on the firewall?

No, we recommend using ntp and bind on a firewall because of the
previously described reason.



BalaBit IT Bizt. Kft    | Tel:   +36  1 371-0540 | GnuPG Fingerprint:
holtzl.peter at balabit.hu | Mobil: +36 20 366-9667 | 2831 E951 B9EE 63BB F0F4
http://www.balabit.hu/  | Fax:   +36  1 208-0875 | 2F4A 1EA4 4B12 7638 29C0

More information about the zorp mailing list