The main idea of the scenario I described, or rather of a would be scenario, is that only secondary can be compromised. And if it is compromised, it should not lead to compromising any internal hosts. The way DNS zone transfers work doesn't seem to offer a complete secure solution, does it? In the scenario you suggested not only the secondary can be compomised but whole internal network can be compromised once the secondary is compromised. Regards, Sergey "Me" on 04/24/2001 04:58:35 PM Please respond to "Me" To: comp-protocols-dns-bind@moderators.isc.org cc: (bcc: Sergey Nikolaev/SIAC) Subject: Re: bind and firewall opinion is needed Put them both behind the firewall and open up UDP from the Internet to the secondary only. Use a disk imaging program, such as Powerquest's Drive Image Pro v4 to create a disaster recovery backup (assuming you're running on an Intel processor or could install the hard drive temporarily in an Intel box). Don't allow either the master or secondary to have domain accounts so they are the only things that could get compromised. If they are, just restore the backup image and the current backup of the zone files. Ray > In the case when the master is behind firewall (hidden from the internet) and > the secondary is in front of firewall (exposed to the internet), to facilitate > zone transfers > FW rules are required that allow bidirectional udp port 53 and unidirectional > tcp port 53 > from secondary to primary. > > While this configuration has some security advantages, it has drawbacks too. > If the secondary is compromised, there is the open incoming hole to the primary, > tcp and udp port 53 . -- Binary/unsupported file stripped by Listar -- -- Type: application/octet-stream -- File: att1.eml