[dns-operations] Best Practices in DNS security

Roland Dobbins rdobbins at cisco.com
Fri Mar 17 17:01:47 UTC 2006

On Mar 17, 2006, at 7:30 AM, Robert Story wrote:

> Is a separate IP strictly necessary? What if the firewall redirected
> DNS queries from one source to a separate copy of bind running on
> a non-standard port? Best I can figure out, the authoritative
> nameserver should get port 53, and the firewall (or local packet
> filters on the machine) would redirect internal queries to the caching
> resolver running on a non standard port.

Putting a firewall (or any other type of device which maintains  
state) in front of your authoritative nameservers is a Bad Idea, IMHO.

Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice

      Everything has been said.  But nobody listens.

                    -- Roger Shattuck

More information about the dns-operations mailing list