Re: DNS best pratice???
From: Herb Martin (news_at_LearnQuick.com)
Date: 12/15/04
- Next message: pjr3200: "Password issues"
- Previous message: Herb Martin: "Re: Scavenging DNS records"
- In reply to: Dan: "DNS best pratice???"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 15 Dec 2004 17:41:13 -0600
"Dan" <Dan@discussions.microsoft.com> wrote in message
news:E2381914-8CD5-4933-A507-94059D1BBC16@microsoft.com...
> Currently my internal DNS servers are forwarding requests to a free bsd
box
> in my DMZ. That system is then forwarding requests to my company's ISP's
DNS
> servers.
That's fine and fairly normal. It offers several
advantages.
> Is there any reason to keep the config this way, or is it better to
> have my internal servers forward requests directly to the ISP's DNS
servers?
It's fine the way it is (if it works for you).
Especially if your inside (BSD) forwarder
has to handle lots of requests OR it's dealing
with a slow WAN line.
> Since my DNS servers are making the original request, I wouldn't have to
> open a port on my firewall would I?
If it is a good firewall and currently properly secured you
would.
> Is there a security benefit in the first scenario that I'm over looking?
Not so much security, since presumably your ISP is
reasonably trustworth, but there is the issue that you
internal DNS (which may even be DCs) don't need
ANY penetration of the (outer) firewall.
It offers some caching benefits with some limited WAN
bandwidth conservation.
It also gives you a place to pull some of the advance
(or goofy) DNS tricks that some of us perform.
The only negative is if the BSD is down, then Internet
resolution fails.
For me this is no problem since my firewall itself (not
a DMS machine) performas this role and so if it is down
nothing goes out that way anyway.
-- Herb Martin
- Next message: pjr3200: "Password issues"
- Previous message: Herb Martin: "Re: Scavenging DNS records"
- In reply to: Dan: "DNS best pratice???"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
