'Re: AW: [FW1] Re: FW DNS'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewall-1
Subject:    Re: AW: [FW1] Re: FW DNS
From:       "Brian Scott" <bscott () systema ! westark ! edu>
Date:       1998-03-30 20:35:17
[Download RAW message or body]


On 26 Mar 98 at 18:24, Guenthner, Ralf DIVS       61 wrote:

> 
> Dave, I agree with your line of thought, excepting this statement
> 
> >>unprotected DNS is probably not a good idea, I'd much rather people go
> >>after one on my firewall than one running on an internal machine.
> 
> If I place my DNS *behind* the firewall, someone would have to
> compromise the FW first to reach the DNS, right? This is hard enough
> to start with. But if I run the DNS *on* the firewall,  DNS becomes
> one more potential point of break-in to the firewall itself. Do you
> see the difference? I maybe mistaken, but I think it matters.

Since DNS is such a low load service, I run both external and 
internal DNS on the same internal machine.  External DNS being on a 
non-standard port, and Firewall-1 translates.


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic