Location of BIND in network

Kevin Darcy kcd at daimlerchrysler.com
Sat Feb 3 02:26:36 UTC 2001


I can't imagine there would be any advantage to putting your internal
DNS server *outside* of the firewall. That seems rather unsafe. Moreover, the
traffic and the rule complexity of your firewall(s) should be reduced if you
have only *one* internal node querying external nameservers and caching the
results, as opposed to some indeterminate number of clients accessing that
nameserver constantly through the firewall.

I wouldn't touch query-source unless you have to because of the limitations of
your firewall software.

Obviously, if you decide to locate your internal nameserver outside of the
firewall, you'd want to set an allow-query to prevent external access. Slightly
less obviously, if you locate your internal nameserver INside of the firewall,
but you have to set query-source to port 53, you may also want to set an
allow-query, because in that case your firewall probably won't be able to
distinguish incoming queries from incoming query-responses and outgoing
query-responses from outgoing queries. If you're just forwarding all queries
for Internet names through your firewall to your ISP's nameservers, however,
and you can write a firewall rule limiting DNS activity to your nameserver and
its forwarders, then perhaps the allow-query might be technically unnecessary
(still, it wouldn't hurt to be a little paranoid!)...


- Kevin

Adam Lang wrote:

> Hello,
>
> I plan on keeping the main DNS hosted by my ISP (PSI.net), but I'm setting
> up BIND local to do caching and internal DNS records (mostly dynamic DNS for
> clients to use with POP).
>
> Should I keep my local DNS behind a firewall?  I'd assume that would be the
> appropriate way since there isn't any querying into the network to it, only
> out.  Or, will  just cause myself headaches because of the query-source?
>
> Adam Lang
> Systems Engineer
> Rutgers Casualty Insurance Company
> http://www.rutgersinsurance.com





More information about the bind-users mailing list