This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

primary DNS

I have ASL box with 3 net cards (EXT, DMZ, INT).
Must setup primary domain server for my domain.
I am planning to put bind server to the machine inside DMZ.

Which is best for outside (internet) users to access domain server:

1: ASL DNS proxy is enabled, with forwarding name server set to real primary domain server (in DMZ),
On ASL: Interfaces to listen on: all three (EXT, DMZ and INT), Allowed Networks: ANY

2: ASL DNS proxy is disabled, and all DNS traffic is NAT-ed to real DNS server through ASL.

My first choice would be with DNS proxy enabled,
but in this case I am a little bit concerned about zone transfer to my secondary DNS server on my ISP.

So, which way is better?

Thx all!!!

This thread was automatically locked due to age.

0 noexploit over 22 years ago

The first option is interesting.  I never thought to have the ASL box proxy DNS requests for internet users.  However I think you will have problems with zone transfers for two reasons.

1.  Zone transfers per RFC RFC 1034 §4.3.5., happen over TCP not UDP.  Depending on how the DNS proxy works, I doubt it will allow the zone transfers.

2.  Security may be a problem.  I am pretty sure you can specify on the BIND server who is allowed to participate in a zone transfer, but a layered approach is better by setting up rules on your firewall to only allow port 53 TCP traffic from specific hosts to your BIND server in the DMZ.

Hope some of this is of value.
Cancel
Vote Up 0 Vote Down

Cancel