[c-nsp] Best practice to put a DNS server at same lan segment as main internet gateway

[Randy Bush]

> can you explain this?
>> A *stateful* firewall for *DNS* is asking for trouble.
>> OTOH, nothing wrong with adding a packet filter in front of the
>> (adequately hardened) machine.

put the server on as simple a topology as possible, at a real
ip address, and near your egress.

enable ipfw or other packet filtering on the host.  run only
named, ntp, and ssh services.  filter all other connections.

randy
---
Q: Because it reverses the logical flow of conversation.
A: Why is top posting frowned upon?