[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[no subject]

> On Fri, Dec 10, 2004 at 10:44:33AM -0500, Cordell, Ron wrote:
>> Hi all,
>
>> I was hoping to draw on your expertise to get an idea of some best
>> practices for DNS.
>
>> I'm trying to determine if it is best to have one DNS server, or
>> multiple DNS servers for an environment. The environment consists of a
>> few hosts in a DMZ, with many hosts behind a firewall (behind the DMZ).
>> The hosts behind the firewall are divided up into vLANs, and are in
>> several subdomains. Does it make sense to put a single DNS server in the
>> DMZ, and use that, or would you recommend putting the server elsewhere?
>> If machine resources are scarce, I don't want to have to create a lot of
>> DNS servers.
>
>> I appreciate any suggestions.
> If your firewall is good, i.e., someone on the Internet cannot spoof
> packets to appear to come from your DNS server, then one DNS server
> (or a pair for redundancy) in the DMZ should suffice, assuming it is
> running on a hardened Linux or UNIX system.
>
> Of course, you'll want to ensure that your internal DNS entries cannot be
> obtained by anyone from the Internet.  Of course, properly configuring
> a DNS server is non-trivial.  You'll also want to ensure that it's kept
> up-to-date w.r.t. security patches.

You can also use tiny DNS if security is imperative. TinyDNS is super easy
to setup, and contains the essentials required to run DNS. There is
a $500 reward to exploit it, and no one has claimed the cash yet.

>
>> -ronc
>
> Bob Toxen
> Fly-By-Day Consulting, Inc.
> "Your expert in Firewalls, Virus and Spam Filters, VPNs,
> Network Monitoring, and Network Security consulting"
>
&gt; <a  rel="nofollow" href="http://www.verysecurelinux.com";>http://www.verysecurelinux.com</a>       [Network &amp; Linux/Unix Security Consulting]
&gt; <a  rel="nofollow" href="http://www.realworldlinuxsecurity.com";>http://www.realworldlinuxsecurity.com</a> [My 5* book: &quot;Real World Linux Security&quot;]
&gt; bob at verysecurelinux.com (e-mail)
&gt; +1 770-662-8321  (Office: 10am-6pm M-F US Eastern Time)
&gt; _______________________________________________
&gt; Ale mailing list
&gt; Ale at ale.org
&gt; <a  rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
&gt;

Ryan Matteson - UNIX Administrator | GPG ID: 92D5DFFF
Public Key: <a  rel="nofollow" href="http://www.daemons.net/~matty/public_key.txt";>http://www.daemons.net/~matty/public_key.txt</a>
Fingerprint = 4BEC 6145 30A6 BCE6 5602 FF11 4954 165D 92D5 DFFF


</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<ul><li><strong>Follow-Ups</strong>:
<ul>
<li><strong><a name="00643" href="msg00643.html">[ale] DNS best practices</a></strong>
<ul><li><em>From:</em> jdr at xcorps.net (Jonathan Rickman)</li></ul></li>
</ul></li></ul>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00429" href="msg00429.html">[ale] DNS best practices</a></strong>
<ul><li><em>From:</em> ron.cordell at sipstorm.com (Cordell, Ron)</li></ul></li>
<li><strong><a name="00441" href="msg00441.html">[ale] DNS best practices</a></strong>
<ul><li><em>From:</em> bob at verysecurelinux.com (Bob Toxen)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00640.html">[ale] ssh for automated management</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00642.html">[ale] OT BS DSL/DNS</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00444.html">[ale] DNS best practices</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00643.html">[ale] DNS best practices</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00641"><strong>Date</strong></a></li>
<li><a href="threads.html#00641"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>