Location of BIND in network

[Adam Lang]

Yeah, what I will be doing is having all internal servers using the internal
DNS for queries and if it doesn't have it cached, it queries from other
nameservers.  No one else will be querying from inside to outside directly.

Adam Lang
Systems Engineer
Rutgers Casualty Insurance Company
http://www.rutgersinsurance.com
>
> ----- Original Message -----
> From: "Kevin Darcy" <kcd at daimlerchrysler.com>
> To: <bind-users at isc.org>
> Sent: Friday, February 02, 2001 9:26 PM
> Subject: Re: Location of BIND in network
>
>
> >
> > I can't imagine there would be any advantage to putting your internal
> > DNS server *outside* of the firewall. That seems rather unsafe.
Moreover,
> the
> > traffic and the rule complexity of your firewall(s) should be reduced if
> you
> > have only *one* internal node querying external nameservers and caching
> the
> > results, as opposed to some indeterminate number of clients accessing
that
> > nameserver constantly through the firewall.
> >
> > I wouldn't touch query-source unless you have to because of the
> limitations of
> > your firewall software.
> >
> > Obviously, if you decide to locate your internal nameserver outside of
the
> > firewall, you'd want to set an allow-query to prevent external access.
> Slightly
> > less obviously, if you locate your internal nameserver INside of the
> firewall,
> > but you have to set query-source to port 53, you may also want to set an
> > allow-query, because in that case your firewall probably won't be able
to
> > distinguish incoming queries from incoming query-responses and outgoing
> > query-responses from outgoing queries. If you're just forwarding all
> queries
> > for Internet names through your firewall to your ISP's nameservers,
> however,
> > and you can write a firewall rule limiting DNS activity to your
nameserver
> and
> > its forwarders, then perhaps the allow-query might be technically
> unnecessary
> > (still, it wouldn't hurt to be a little paranoid!)...
> >
> >
> > - Kevin