[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[no subject]
- <!--x-content-type: text/plain -->
- <!--x-date: Fri Dec 10 19:25:15 2004 -->
- <!--x-from-r13: obo ng irelfrpheryvahk.pbz (Pbo Fbkra) -->
- <!--x-message-id: [email protected] -->
- <!--x-reference: [email protected] --> "http://www.w3.org/TR/html4/loose.dtd">
- <!--x-subject: [ale] DNS best practices -->
- <li><em>date</em>: Fri Dec 10 19:25:15 2004</li>
- <li><em>from</em>: bob at verysecurelinux.com (Bob Toxen)</li>
- <li><em>in-reply-to</em>: <<a href="msg00429.html">[email protected]</a>></li>
- <li><em>references</em>: <<a href="msg00429.html">[email protected]</a>></li>
- <li><em>subject</em>: [ale] DNS best practices</li>
> I was hoping to draw on your expertise to get an idea of some best
> practices for DNS.
> I'm trying to determine if it is best to have one DNS server, or
> multiple DNS servers for an environment. The environment consists of a
> few hosts in a DMZ, with many hosts behind a firewall (behind the DMZ).
> The hosts behind the firewall are divided up into vLANs, and are in
> several subdomains. Does it make sense to put a single DNS server in the
> DMZ, and use that, or would you recommend putting the server elsewhere?
> If machine resources are scarce, I don't want to have to create a lot of
> DNS servers.
> I appreciate any suggestions.
If your firewall is good, i.e., someone on the Internet cannot spoof
packets to appear to come from your DNS server, then one DNS server
(or a pair for redundancy) in the DMZ should suffice, assuming it is
running on a hardened Linux or UNIX system.
Of course, you'll want to ensure that your internal DNS entries cannot be
obtained by anyone from the Internet. Of course, properly configuring
a DNS server is non-trivial. You'll also want to ensure that it's kept
up-to-date w.r.t. security patches.
> -ronc
Bob Toxen
Fly-By-Day Consulting, Inc.
"Your expert in Firewalls, Virus and Spam Filters, VPNs,
Network Monitoring, and Network Security consulting"
<a rel="nofollow" href="http://www.verysecurelinux.com";>http://www.verysecurelinux.com</a> [Network & Linux/Unix Security Consulting]
<a rel="nofollow" href="http://www.realworldlinuxsecurity.com";>http://www.realworldlinuxsecurity.com</a> [My 5* book: "Real World Linux Security"]
bob at verysecurelinux.com (e-mail)
+1 770-662-8321 (Office: 10am-6pm M-F US Eastern Time)
</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<ul><li><strong>Follow-Ups</strong>:
<ul>
<li><strong><a name="00443" href="msg00443.html">[ale] DNS best practices</a></strong>
<ul><li><em>From:</em> hbbs at comcast.net (Jeff Hubbs)</li></ul></li>
<li><strong><a name="00641" href="msg00641.html">[ale] DNS best practices</a></strong>
<ul><li><em>From:</em> mattyml at bellsouth.net (mattyml at bellsouth.net)</li></ul></li>
</ul></li></ul>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00429" href="msg00429.html">[ale] DNS best practices</a></strong>
<ul><li><em>From:</em> ron.cordell at sipstorm.com (Cordell, Ron)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00440.html">[ale] updating RH9</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00442.html">[ale] updating RH9</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00429.html">[ale] DNS best practices</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00443.html">[ale] DNS best practices</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00441"><strong>Date</strong></a></li>
<li><a href="threads.html#00441"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>