[dns-operations] Best Practices in DNS security
Roland Dobbins
rdobbins at cisco.com
Fri Mar 17 17:01:47 UTC 2006
On Mar 17, 2006, at 7:30 AM, Robert Story wrote:
> Is a separate IP strictly necessary? What if the firewall redirected
> DNS queries from one source to a separate copy of bind running on
> a non-standard port? Best I can figure out, the authoritative
> nameserver should get port 53, and the firewall (or local packet
> filters on the machine) would redirect internal queries to the caching
> resolver running on a non standard port.
Putting a firewall (or any other type of device which maintains
state) in front of your authoritative nameservers is a Bad Idea, IMHO.
----------------------------------------------------------------------
Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice
Everything has been said. But nobody listens.
-- Roger Shattuck
More information about the dns-operations
mailing list