[prev in list] [next in list] [prev in thread] [next in thread]
List: sidewinder
Subject: Re: [Sidewinder] DNS Best Practices Question
From: sidewinder () adeptech ! com
Date: 2004-12-04 9:05:03
Message-ID: 41B17DBF.5050203 () mn ! rr ! com
[Download RAW message or body]
With regard to the UDP proxy latency issue -- it must be ACL checked for
the first hit to that site's server. Once the rule is checked, is it
cached for that IP, maybe? So subsequent lookups at that server would
be allowed right away.
I saw the following in my "cf acl q":
acl set loglevel=2 cache=1
This would imply a caching issue with ACL's perhaps. But your assertion
about this not being a DNS caching isue is right.
--HA
sidewinder@adeptech.com wrote:
> Here is my $.02. It sounds as though you are running a split DNS
> configuration with both internal and external DNS servers at your site
> (great design). I tend to look at the external DNS servers simply
> providing the "public" information required to access systems at your
> site. I would ask "why do you forward to them?". When the internal
> DNS servers need to resolve other domains, they need to get to the
> internet; no local server has this information. Here again "why
> forward?".
>
> IMHO, let the external DNS servers handle ONLY queries from external
> sites about your domain.
> Now, you want the internal servers to resolve public information for
> your local nets. Reducing the forwarding will reduce the latency. If
> you are ultra conservative, I believe there is some types of cache
> poisoning that the Sidewinder can help protect; though I think this is
> an extremely low risk. I would recommend the first option below, but
> the second could be argued as being slightly more secure:
>
> 1) Configure your internal DNS servers to have a hints zone and
> resolve information directly from other DNS servers on the Internet.
> Configure the DNS proxy to handle these connections outbound.
>
> 2) Configure the secure split DNS server on the firewall, but do not
> have the external DNS on the firewall resolve any information for the
> public. Use it to simply handle the forwarded requests from the
> internal DNS servers.
>
> A couple other things to consider. BIND has had a history of security
> vulnerabilities. IMO, removing this service from the firewall is a
> good idea. Using the DNS proxy allows you to do this. Another note,
> we found the UDP proxy to add a higher latency than one might expect
> during the first lookup to a site (this was not a caching issue). I
> wonder if others have actually noticed this?
>
>
> sidewinder@adeptech.com wrote:
>
>> Good afternoon list,
>> Currently we have 3 SideWinders that are sending outbound traffic to
>> the Internet.
>> When a DNS request comes in we have it forward from internal to
>> external {set as yes for do fowarding, and yes for forward only} the
>> external DNS servers then sends the request to one of three main DNS
>> servers at our ISP {set as yes for do fowarding, and no for forward
>> only}
>>
>> Well, yesterday all three of the DNS servers at our ISP had major
>> issues and it caused DNS related issues within the company. As a
>> result several discussions were held as to the industries Best
>> Practice on this.
>>
>> What is the current thoughts on "Best Practice" for this. Should we
>> forward the DNS request to these other DNS servers, or should we have
>> the SideWinders do the work themselves? What is the industry doing?
>>
>> Your thoughts and comments would be appreciated.
>>
>> Richard St. John
>> Graybar Electric Company
>>
>>
>> _______________________________________________
>> Sidewinder mailing list
>> Sidewinder@adeptech.com
>> http://mail.adeptech.com/mailman/listinfo/sidewinder
>>
>>
>>
>>
>
_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic