FW: [c-nsp] Best practice to put a DNS server at same lan segment asmain internet gateway

Stranks Andy (RB4) Essex Shared Services Agency Andy.Stranks at essa.nhs.uk
Tue Jun 21 12:33:37 EDT 2005


 Hi,

I'd agree with Randy under the condition that the DNS Server is bolted
down and patched up and that no business critical services are dependent
on the 'external' DNS server.

If you only have the one DNS server, or it performs Internet side
functions I would recommend bringing it inside the Firewall and creating
a 1-1 NAT for it. You'll need to allow your DNS server out to any IP
address on both TCP and UDP port 53. If your DNS server performs any
Internet side resolution (MX record handling etc..) you will need to
allow all incoming to TCP and UDP 53.

Having the server inside the Firewall means you can turn back on things
like SSH.

Hope that helps

Andy

P.S. Keep It Simple Stupid (KISS) is usually the best way.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Randy Bush
Sent: 21 June 2005 15:40
To: Kim Onnel
Cc: Cisco List 2 (E-mail)
Subject: Re: [c-nsp] Best practice to put a DNS server at same lan
segment asmain internet gateway

> I must put 2 servers at the same LAN segment where the internet 
> gateway is, i have a 506 PIX and the servers are supposed to be tight,

> but still i feel that its dangerous to do that.
> 
> if i understand correctly, i will give the DNS server a private IP and

> let it PAT through the PIX to the DNS ports, for added security, i've 
> placed it on a different switch.
> 
> Any suggestions ideas, is there recommended configurations on PIX in 
> this case ?

yes, removal.

put the server on the public network.  complexity is the path to
failure.

randy

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

This e-mail is confidential and privileged.  If you are not the intended recipient please accept our apologies; please do not disclose, copy or distribute information in this e-mail or take any action in reliance on its contents:  to do so is strictly prohibited and may be unlawful.  Please inform us that this message has gone astray before deleting it.  Thank you for your co-operation.



More information about the cisco-nsp mailing list