DNS server and NAT frontend

[Danny Mayer]

         You boss knows nothing about security.  If the box is outside the
   firewall, you are basically exposing to any and all possible attacks
   and is particularly vunerable to giving you major problems if it hosting
   internal domains.  You don't expose your internal network information
   outside the firewall.  Also routers filter out 10.x.x.x IP Addresses so
   that they don't get propogated.  In addition, you'll need to have an
   additional server inside the firewall to field internal requests or you'll
   need to open up the firewall to all of the individual internal systems
   which defeats the purpose of the firewall.

                 Danny

At 10:58 PM 1/15/01, dd wrote:
>Hello all.  I have a simple question - does a DNS server have to be on
>  the 
>same (sub)net as the domain it's serving for?    
>
>Here's my idea - the DNS box will be resolving for a real domain with real IP 
>addresses, but I want to put the DNS box behind a dual-homed box booting a 
>Linux Router Project floppy.  The DNS box and one of the nics in the LRP box 
>will be on a private IP (say 10.x.x.x), the other nic in the LRP box will have 
>a real IP.  I'll port forward the DNS ports from the LRP box to the DNS box 
>and port forward all other ports off to the bit bucket.  But will BIND work 
>that way or will it get confused?
>
>The boss wants the DNS box outside the firewall, so I want to do this so if 
>the script kiddies get hold of the box with the real IP on it, they will be in 
>for a disappointment.
>
>Yeah, I'm RTFM, but I haven't gotten to this chapter yet.  hehehe.
>
>Thanks for any help.
>
>Davidd