Firewall Wizards mailing list archives
Re: dns outbound
From: Joseph S D Yao <jsdy () cospo osis gov>
Date: Mon, 17 May 1999 12:58:57 -0400 (EDT)
I have gotten a request to allow all clients behind a firewall to have unrestricted access to dns servers outside the firewall. Can I get help in coming up with pros and cons off doing that. I tried to search the archives but the search page is not working properly. I am not comfortable in allowing udp packets outbound from all systems. If it helps we are using firewall-1.
First, ascertain what the requesters really WANT, as opposed to what they think they're asking for. Is there some strange, obscure reason that they feel they need direct access to the external DNS servers? [And, if so, would it suffice to set up a walled-off separate machine in the FW-1 "DMZ" from which such access were available?] Or do they need to be able to resolve data from all external DNS servers? The latter case is provided by almost every firewall. I'm not familiar with what FW-1 does for this. FWTK and Gauntlet use BIND's 'named' to provide separate DNS to the inside and outside, especially now that 8.2 allows that for even more cases. Raptor does the same thing with some more-limited DNS server of their own. ANS Interlock does not serve DNS on the firewall, but has a DNS proxy that allows much the same services, relying on name servers inside and outside the firewall. -- Joe Yao jsdy () cospo osis gov - Joseph S. D. Yao COSPO/OSIS Computer Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies.
Current thread:
- dns outbound Deepak Vaidya (May 16)
- Re: dns outbound Lance Spitzner (May 17)
- Re: dns outbound Larry Chin (May 17)
- RE: dns outbound Thomas Crowe (May 18)
- Re: dns outbound Joseph S D Yao (May 17)
- <Possible follow-ups>
- Re: dns outbound David Goldsmith (May 17)
- RE: dns outbound Buckley, Neil (May 17)
- Re: dns outbound Ryan Russell (May 17)
- Re: dns outbound Marcus J. Ranum (May 18)
- Re: dns outbound chuck (May 18)
- Re: dns outbound Ge' Weijers (May 19)
- Re: dns outbound Matt McClung (May 18)
- Re: dns outbound Darren Reed (May 18)
- Re: dns outbound Bennett Todd (May 19)
- Re: dns outbound Marcus J. Ranum (May 18)