FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 06-21-2008, 04:55 PM
James
 
Default firewall + dns secondary

Hello,

I'm adding primary and secondary name servers to my small (5 static) ip
network.


Are there any security reasons that I should not run the secondary
(Bind) name server on the firewall (iptables) directly?




--
gentoo-user@lists.gentoo.org mailing list
 
Old 06-21-2008, 05:59 PM
Uwe Thiem
 
Default firewall + dns secondary

On Saturday 21 June 2008, James wrote:
> Hello,
>
> I'm adding primary and secondary name servers to my small (5
> static) ip network.
>
>
> Are there any security reasons that I should not run the secondary
> (Bind) name server on the firewall (iptables) directly?

Well, security holes have been discovered in bind in the past - and
there are no reasons to assume none will be found in the future. ;-)
Once your firewall is compromised, your whole network is under
threat.

Though the risk is probably small, you can avoid it easily. Rund bind
on one of the boxes behind your firewall. Forward port 53 from your
fw to that box. Announce your FW as the secondary name server.

Uwe

--
Ignorance killed the cat, sir, curiosity was framed!
--
gentoo-user@lists.gentoo.org mailing list
 
Old 06-23-2008, 12:51 AM
James
 
Default firewall + dns secondary

Uwe Thiem <uwix <at> iway.na> writes:

>
Are there any security reasons that I should not run the secondary (Bind) name
server on the firewall (iptables) directly?

> Well, security holes have been discovered in bind in the past - and
> there are no reasons to assume none will be found in the future.
> Once your firewall is compromised, your whole network is under

> Though the risk is probably small, you can avoid it easily. Rund bind
> on one of the boxes behind your firewall. Forward port 53 from your
> fw to that box. Announce your FW as the secondary name server.


Yep.
That's what I was thinking too.

thanks for confirming what I was leaning towards.


James





--
gentoo-user@lists.gentoo.org mailing list
 

Thread Tools




All times are GMT. The time now is 03:05 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org