DNS

Jim McConnell jkm at tbred.com
Tue Feb 1 19:13:58 UTC 2000


> If you had a choice between having the DNS outside the firewall or behind
> the firewall which one would you pick?  This controversy is
> creating turmoil
> in our office. One of the engineers wants the DNS in the DMZ and the other
> would like to have it inside. What are the pros and cons of both sides?
>
> Thanks for your help.

We recently moved our DNS servers into the DMZ.  We have a reasonably small
DNS,
with about 10 zones (20 if you count the reverse), and simply wanted to
maintain
one server with both the public & private zones to simply administration.

Our requirements prior to moving the DNS were straightforward:

1.  The service cannot run as root.  Using the command line options, this is
easily
accomplished.

2.  Private zones would not be accessible to the general public.  Using
"allow-query"
and "allow-transfer", we are able to secure the private zones so that only a
specific
set of hosts could perform queries and/or zone transfers.

So, in my setup, having a limited number of zones, and needing to trim the
amount of
administration that is necessary, simply having additional DNS servers is a
problem.
The only pro we could come up with for requiring that private zones be
behind the
firewall is that it would totally prevent the private zones from becoming
accessible
to the public.

In the end, we went with the DNS in the DMZ because the pros (fewer servers,
easier
administration) out numbered the cons (possible information leak).  Since I
feel we
adequately addressed the security concerns, there was little room left for
debate.

Of course, we do maintain one server behind the firewall that is purely a
slave server,
which allows queries to still be answered in the event that the firewall
dies.  However,
the amount of administration on our slaves is nearly zero, and workstations
are configured
to use that only as a tertiary server.

Ultimately, I think that the size of your DNS servers goes a long way toward
determining
where the service should sit.  Perhaps if the zones are large enough, you
split the
duties among several machines, 1 master internal to your LAN for private
zones, and 1
master in the DMZ for your public zones, and an appropriate number of
backups in both
the LAN & DMZ. I'd be interested to hear what each side is arguing as
pros/cons in
your specific case.  To my mind, the difference is minimal.

Jim McConnell




More information about the bind-users mailing list