[c-nsp] Best practice to put a DNS server at same lan segment as main internet gateway

cisco at confluence.com cisco at confluence.com
Tue Jun 21 16:54:58 EDT 2005


bmanning at vacation.karoshi.com wrote:
>	you have described a complex, error prone
>	configuration.  take the DNS server platform and ensure that
>	it only runs the basic set of services...  

AND

randy at psg.com wrote:
>put the server on the public network.  complexity is the path to
>failure.

What ever happened to having a server that is not only hardened at the OS
level, but also on a DMZ with publicly reachable (non-NATed) address space
that is behind a stateful firewall?  In that regard, following the advice
given by the two above should give you the ideal solution, as long as you
have the address space available.

My only question would be if a single pix can support both NATing a private
workstation subnet while not NATing a DMZ subnet.  I've always viewed pixen
as NAT boxes - can they do both NAT and non-NAT on the same box based on the
interface used?  If so, that would probably be your best route.


More information about the cisco-nsp mailing list