Opinion wanted: DNS with firewall setup

Kevin Darcy kcd at daimlerchrysler.com
Wed Jan 17 04:57:24 UTC 2001


Jozef Skvarcek wrote:

> Hello,
>
> I am planning to deploy following DNS topology and I am interested in
> the opinion of those who care. I want to put master server for our
> domains on the internal network then couple slaves in the DMZ. The
> master and another internal slave will forward recursive querries
> from internal clients to the slaves in the DMZ. Then I want to set up
> few external non-recursive slave servers that will be publicly
> authoritative for our zones. The external servers will have to transfer
> the zone files from the DMZ slaves. Will the later work?

I think that should work, but it may be less than optimal. It means that
every time a change is made to one of your zones, it has to transfer
*twice* -- once to the DMZ slaves and then again to the external slaves --
before the public will see the new data. Maybe that's important to you,
maybe not. From the standpoint of propagating changes quickly, you want
only a single hop from the master to the registered servers that the public
will use to resolve your names. I assume that your firewall architecture
somehow precludes zone transfers directly from an internal master to
external slaves (???)

> I don't want to place the external servers into the DMZ in order to
> save some resources on the firewall, the external servers will be placed
> behind a hardware packet filtering device anyway. We have some dynamic
> zones too, therefore, I do not want to place the master into the DMZ
> (again, trying to save firewall resources).

Is there some reason why you must have a "master" server which is master
for *all* of your zones? In your situation, I think maybe I'd master the
dynamic zones on an internal server, and then, to eliminate the
"double-slaving" mentioned above, put the master for all
externally-accessible zones in the DMZ. Of course, I'm assuming here that
the dynamic zones aren't *also* externally-visible. If they are, then
I don't see any good way of economizing your firewall traffic, since the
changes will have to propagate one way or the other in order to be
externally visible.

Another thing to consider is whether you really want the data in your zones
to be as visible externally as it is internally. Now, maybe you have all of
your internal names sectioned off into subdomains that are not visible
externally. If so, congratulations! But if, as with most of us, your users
and/or management have nixed the idea of "ghettoizing" all of your internal
names into separate subdomains, and if you don't want all of that internal
stuff to be visible, then you have to implement so-called "split DNS" where
you have separate versions of at least some of your zones, versions which
are _either_ externally or internally visible. In your case, maybe you
would have the internal versions of such zones hosted completely
internally, and then your DMZ master would feed the external versions of
those zones to your external slaves. I think this would reduce the firewall
traffic significantly (the only thing that would be more firewall-friendly
would be to completely externalize your master, but that might generate too
much security exposure and/or make it hard for you to maintain the zone
data.

You might also want to consider completely separating recursive from
non-recursive services.

> Is it worth to setup DNSSEC these days? i.e. would someone out there on
> the web be able to take advantage of it? I successfully installed DNSSEC
> in the lab, however, I haven't tried to contact DNS admin of our parent
> zone (.com) in order to get my keys signed. Does anyone have any
> experience with that?

I think the .com server operators are still waiting for BIND 9 to shape up
before they would even consider signing the zone. There are serious
performance and capacity concerns involved with signing a zone as large as
.com. Even if they signed the zone tomorrow, the deployment of
DNSSEC-capable servers and clients is likely to be patchy and slow.

On the other hand, there's a lot to be said for leading the way, setting a
good example, etc.. If everyone waits for "the other guys" to implement
DNSSEC, it'll never get implemented...


- Kevin





More information about the bind-users mailing list