[c-nsp] DNS rewrite & global capabilities

sthaug at nethelp.no sthaug at nethelp.no
Mon Jun 29 10:40:33 EDT 2009


> > But even more than that, putting your public-facing DNS (or any other 
> > kind of server) behind a firewall is a very serious architectural 
> > mistake; firewalls in front of public-facing servers provide no 
> > security value whatsoever, and degrade the overall security posture 
> > due to the issues denoted above.
> 
> This seems to imply that the servers would need a second interface for 
> management, with static routes over-riding the default? Is this your 
> preferred approach?

SSH through the regular Internet-facing interface, with appropriate
restrictions (hosts.allow or similar) also works very well. We have
our DNS servers configured this way, and see no problems.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no


More information about the cisco-nsp mailing list